Edit tour

Windows Analysis Report
Script.exe

Overview

General Information

Sample name:	Script.exe
Analysis ID:	1580861
MD5:	67c5febee5ac88f818bf4ccda569355e
SHA1:	23ec76d3401f75dd0be8c49ae6b1bdb6e605a5b3
SHA256:	4d159c190a63848376182af0e35d175ac1aa3540544dba3167508df890d98496
Tags:	exeuser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Script.exe (PID: 7424 cmdline: "C:\Users\user\Desktop\Script.exe" MD5: 67C5FEBEE5AC88F818BF4CCDA569355E)

conhost.exe (PID: 7432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Script.exe (PID: 7492 cmdline: "C:\Users\user\Desktop\Script.exe" MD5: 67C5FEBEE5AC88F818BF4CCDA569355E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["tentabatte.lat", "bashfulacid.lat", "observerfry.lat", "slipperyloo.lat", "wordyfindy.lat", "shapestickyr.lat", "talkynicer.lat", "manyrestro.lat", "curverpluch.lat"], "Build id": "yau6Na--6331801298"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:33:02.584284+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	23.55.153.106	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:33:00.542140+0100	2058480	1	Domain Observed Used for C2 Detected	192.168.2.4	64387	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:32:59.954185+0100	2058484	1	Domain Observed Used for C2 Detected	192.168.2.4	52188	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:32:59.052098+0100	2058492	1	Domain Observed Used for C2 Detected	192.168.2.4	56602	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:32:59.365338+0100	2058500	1	Domain Observed Used for C2 Detected	192.168.2.4	57659	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:32:58.830318+0100	2058502	1	Domain Observed Used for C2 Detected	192.168.2.4	54914	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:32:59.596380+0100	2058510	1	Domain Observed Used for C2 Detected	192.168.2.4	63049	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:33:00.320643+0100	2058512	1	Domain Observed Used for C2 Detected	192.168.2.4	52068	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:32:58.601483+0100	2058514	1	Domain Observed Used for C2 Detected	192.168.2.4	63270	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:33:03.402350+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.4	49730	23.55.153.106	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.1671339573.000000000111E000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["tentabatte.lat", "bashfulacid.lat", "observerfry.lat", "slipperyloo.lat", "wordyfindy.lat", "shapestickyr.lat", "talkynicer.lat", "manyrestro.lat", "curverpluch.lat"], "Build id": "yau6Na--6331801298"}

Multi AV Scanner detection for submitted file

Source: Script.exe

Virustotal: Detection: 44%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 86.1% probability

Machine Learning detection for sample

Source: Script.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1671339573.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String decryptor: bashfulacid.lat
Source: 00000000.00000002.1671339573.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String decryptor: tentabatte.lat
Source: 00000000.00000002.1671339573.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String decryptor: curverpluch.lat
Source: 00000000.00000002.1671339573.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String decryptor: talkynicer.lat
Source: 00000000.00000002.1671339573.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String decryptor: shapestickyr.lat
Source: 00000000.00000002.1671339573.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String decryptor: manyrestro.lat
Source: 00000000.00000002.1671339573.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String decryptor: slipperyloo.lat
Source: 00000000.00000002.1671339573.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String decryptor: wordyfindy.lat
Source: 00000000.00000002.1671339573.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String decryptor: observerfry.lat
Source: 00000000.00000002.1671339573.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1671339573.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1671339573.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1671339573.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1671339573.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1671339573.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String decryptor: yau6Na--6331801298

Source: C:\Users\user\Desktop\Script.exe

Code function: 2_2_00801A80 FreeConsole,CryptDestroyKey,

2_2_00801A80

Source: Script.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: Script.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_0081A1A8 FindFirstFileExW,		0_2_0081A1A8
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_0081A259 FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_0081A259

Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+ecx-65h]	2_2_0043D4E1
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov ecx, eax	2_2_00429070
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then xor ebx, ebx	2_2_00429070
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 6E87DD67h	2_2_0042D0CD
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov ebx, eax	2_2_004058D0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov ebp, eax	2_2_004058D0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 138629C0h	2_2_004158FC
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	2_2_00416896
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+48h]	2_2_0042C89E
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_0042B8BD
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_0042B963
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx edi, byte ptr [esi+ecx+04h]	2_2_0040D907
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+eax]	2_2_0040D11B
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov edi, eax	2_2_0040D11B
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-65h]	2_2_00440180
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 8AE4A158h	2_2_0041598C
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 088030A7h	2_2_00419190
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 11A82DE9h	2_2_00419190
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 11A82DE9h	2_2_00419190
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 6E87DD67h	2_2_00419190
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov edx, eax	2_2_00419190
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 6E87DD67h	2_2_00419190
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 798ECF08h	2_2_00419190
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 11A82DE9h	2_2_00419190
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	2_2_00419190
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+06h]	2_2_0041B9A0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-5C093193h]	2_2_0041B25A
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov ecx, ebx	2_2_00417A75
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov edx, eax	2_2_00417207
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_0042B215
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then jmp ecx	2_2_0043F286
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov byte ptr [esi], al	2_2_00417AB8
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov dword ptr [esp], ecx	2_2_0042BB60
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov dword ptr [esp], ecx	2_2_0042BB66
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	2_2_00402B70
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-00000098h]	2_2_00421B00
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+02h]	2_2_00421B00
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov ecx, eax	2_2_0043DB10
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov ecx, eax	2_2_0043D325
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	2_2_004163C0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+4EB33D1Fh]	2_2_004163C0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+28h]	2_2_004163C0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then test eax, eax	2_2_004393D0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then push eax	2_2_004393D0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov byte ptr [esi], al	2_2_0041A3A0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp word ptr [edi+ecx+02h], 0000h	2_2_0040B3BB
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+ecx-2Ch]	2_2_0043E450
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-65h]	2_2_00440450
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov edx, ecx	2_2_00409400
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov edx, eax	2_2_00426430
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov eax, dword ptr [esi+28h]	2_2_0040E49F
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov eax, dword ptr [0044A454h]	2_2_0040C4AE
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-2DCF3881h]	2_2_00414555
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0042856C
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov ecx, dword ptr [00446180h]	2_2_00415506
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 120360DAh	2_2_00415506
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	2_2_00418DC5
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov byte ptr [ebp+00h], al	2_2_0041D5B0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+28h]	2_2_0041864E
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00428630
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp cl, 0000002Eh	2_2_00426639
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov byte ptr [ecx], al	2_2_00426639
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-1EB1B608h]	2_2_0042963E
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+28h]	2_2_00417EEE
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov edx, ecx	2_2_00417EEE
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_00429E80
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov edx, ecx	2_2_00415E9A
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], C50B4B65h	2_2_00415E9A
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	2_2_00415E9A
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	2_2_00415E9A
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E0A81160h	2_2_00415E9A
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-098D4F7Eh]	2_2_00415E9A
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edx]	2_2_0043CEA0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00409EB9
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+00000278h]	2_2_00417745
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov ecx, eax	2_2_00418F52
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov edx, eax	2_2_00440770
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_00435F00
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-1EB1B608h]	2_2_0042963E
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+ecx]	2_2_0040AF23
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx]	2_2_0043F730
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+4557D5DCh]	2_2_004387D0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	2_2_004167E1
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then jmp eax	2_2_00424F80
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ebp-1EB1B624h]	2_2_004257AC

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058492 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat) : 192.168.2.4:56602 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058484 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat) : 192.168.2.4:52188 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058480 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat) : 192.168.2.4:64387 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058502 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat) : 192.168.2.4:54914 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058514 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat) : 192.168.2.4:63270 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058500 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat) : 192.168.2.4:57659 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058510 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat) : 192.168.2.4:63049 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058512 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat) : 192.168.2.4:52068 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49730 -> 23.55.153.106:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: tentabatte.lat
Source: Malware configuration extractor	URLs: bashfulacid.lat
Source: Malware configuration extractor	URLs: observerfry.lat
Source: Malware configuration extractor	URLs: slipperyloo.lat
Source: Malware configuration extractor	URLs: wordyfindy.lat
Source: Malware configuration extractor	URLs: shapestickyr.lat
Source: Malware configuration extractor	URLs: talkynicer.lat
Source: Malware configuration extractor	URLs: manyrestro.lat
Source: Malware configuration extractor	URLs: curverpluch.lat

Source: Joe Sandbox View

IP Address: 23.55.153.106 23.55.153.106

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 23.55.153.106:443

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: Script.exe, 00000002.00000002.1725025355.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https:// equals www.youtube.com (Youtube)
Source: Script.exe, 00000002.00000003.1724108178.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=e67d40d0cdbbde9dda121e45; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 26 Dec 2024 11:33:03 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control;8h equals www.youtube.com (Youtube)
Source: Script.exe, 00000002.00000002.1725025355.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https:// equals www.youtube.com (Youtube)
Source: Script.exe, 00000002.00000003.1724108178.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: Script.exe, 00000002.00000003.1724328579.00000000012DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: Script.exe, 00000002.00000003.1724328579.00000000012DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=e67d40d0cdbbde9dda121e45; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 26 Dec 2024 11:33:03 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control;8h equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: observerfry.lat
Source: global traffic	DNS traffic detected: DNS query: wordyfindy.lat
Source: global traffic	DNS traffic detected: DNS query: slipperyloo.lat
Source: global traffic	DNS traffic detected: DNS query: manyrestro.lat
Source: global traffic	DNS traffic detected: DNS query: shapestickyr.lat
Source: global traffic	DNS traffic detected: DNS query: talkynicer.lat
Source: global traffic	DNS traffic detected: DNS query: curverpluch.lat
Source: global traffic	DNS traffic detected: DNS query: tentabatte.lat
Source: global traffic	DNS traffic detected: DNS query: bashfulacid.lat
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: Script.exe, 00000002.00000002.1725025355.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: Script.exe, 00000002.00000002.1724859603.000000000127C000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: Script.exe, 00000002.00000002.1724859603.000000000127C000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: Script.exe, 00000002.00000002.1724859603.000000000127C000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: Script.exe, 00000002.00000002.1725025355.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: Script.exe, 00000002.00000002.1725025355.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: Script.exe, 00000002.00000002.1724859603.000000000127C000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: Script.exe, 00000002.00000002.1725025355.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: Script.exe, 00000002.00000003.1724328579.00000000012DA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: Script.exe, 00000002.00000003.1724328579.00000000012DA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: Script.exe, 00000002.00000002.1725025355.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: Script.exe, 00000002.00000003.1724328579.00000000012DA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: Script.exe, 00000002.00000002.1725025355.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: Script.exe, 00000002.00000003.1724328579.00000000012DA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: Script.exe, 00000002.00000002.1725025355.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: Script.exe, 00000002.00000002.1725025355.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: Script.exe, 00000002.00000002.1725025355.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: Script.exe, 00000002.00000002.1725025355.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: Script.exe, 00000002.00000002.1724859603.000000000127C000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: Script.exe, 00000002.00000002.1724933061.0000000001293000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: Script.exe, 00000002.00000003.1724108178.00000000012AB000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1723940386.00000000012A9000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1724990643.00000000012AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900E8
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: Script.exe, 00000002.00000003.1724234746.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1724108178.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1724328579.00000000012DA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: Script.exe, 00000002.00000003.1724108178.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1724328579.00000000012DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: Script.exe, 00000002.00000002.1724859603.000000000127C000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: Script.exe, 00000002.00000003.1724328579.00000000012DA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: Script.exe, 00000002.00000002.1725025355.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: Script.exe, 00000002.00000002.1725025355.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: Script.exe, 00000002.00000003.1723940386.000000000128A000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: Script.exe, 00000002.00000003.1724328579.00000000012DA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: Script.exe, 00000002.00000002.1725025355.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: C:\Users\user\Desktop\Script.exe

Code function: 2_2_00433500 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_00433500

Source: C:\Users\user\Desktop\Script.exe

Code function: 2_2_00433500 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_00433500

Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_00801000	0_2_00801000
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_00807B46	0_2_00807B46
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_00812370	0_2_00812370
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_0081FCA2	0_2_0081FCA2
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_0080C692	0_2_0080C692
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_0081DECA	0_2_0081DECA
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004098CE	2_2_004098CE
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043DBAC	2_2_0043DBAC
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00429070	2_2_00429070
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00409000	2_2_00409000
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00428000	2_2_00428000
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041C0C0	2_2_0041C0C0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004058D0	2_2_004058D0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004038D0	2_2_004038D0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004230D3	2_2_004230D3
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00423750	2_2_00423750
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00426090	2_2_00426090
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043E8A7	2_2_0043E8A7
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0042A950	2_2_0042A950
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0042217D	2_2_0042217D
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0040D11B	2_2_0040D11B
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041C920	2_2_0041C920
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004301D5	2_2_004301D5
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004239E0	2_2_004239E0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004391E1	2_2_004391E1
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00408180	2_2_00408180
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00406180	2_2_00406180
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00440180	2_2_00440180
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0042C98C	2_2_0042C98C
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041E990	2_2_0041E990
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041A190	2_2_0041A190
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00419190	2_2_00419190
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041B9A0	2_2_0041B9A0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00418241	2_2_00418241
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041FA74	2_2_0041FA74
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00430A78	2_2_00430A78
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00417207	2_2_00417207
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00433210	2_2_00433210
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00428A31	2_2_00428A31
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00415A3C	2_2_00415A3C
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0042C2C1	2_2_0042C2C1
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00404280	2_2_00404280
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00417AB8	2_2_00417AB8
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00423B40	2_2_00423B40
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041D350	2_2_0041D350
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00421B00	2_2_00421B00
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0042D306	2_2_0042D306
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00411BC0	2_2_00411BC0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004163C0	2_2_004163C0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004393D0	2_2_004393D0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004383D0	2_2_004383D0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0042D3F1	2_2_0042D3F1
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00425380	2_2_00425380
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043F380	2_2_0043F380
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00422B84	2_2_00422B84
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041CB90	2_2_0041CB90
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0042D391	2_2_0042D391
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00422BA0	2_2_00422BA0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00404BB0	2_2_00404BB0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00440450	2_2_00440450
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0042B46E	2_2_0042B46E
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00436C7D	2_2_00436C7D
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00409400	2_2_00409400
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00426430	2_2_00426430
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0042B435	2_2_0042B435
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00418CE1	2_2_00418CE1
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00439C8E	2_2_00439C8E
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043F490	2_2_0043F490
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0040E49F	2_2_0040E49F
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004374A3	2_2_004374A3
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004384B0	2_2_004384B0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00427D52	2_2_00427D52
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00414555	2_2_00414555
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0042856C	2_2_0042856C
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00415506	2_2_00415506
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00427527	2_2_00427527
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041052C	2_2_0041052C
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043EDCE	2_2_0043EDCE
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043F5E0	2_2_0043F5E0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00437D80	2_2_00437D80
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041D5B0	2_2_0041D5B0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00406610	2_2_00406610
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0042E617	2_2_0042E617
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00405E20	2_2_00405E20
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00427E22	2_2_00427E22
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00428630	2_2_00428630
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00430637	2_2_00430637
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00426639	2_2_00426639
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00402ED0	2_2_00402ED0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00417EEE	2_2_00417EEE
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043FEF0	2_2_0043FEF0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043F690	2_2_0043F690
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00415E9A	2_2_00415E9A
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00414EA0	2_2_00414EA0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0040F6AA	2_2_0040F6AA
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0042774C	2_2_0042774C
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00423750	2_2_00423750
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00421770	2_2_00421770
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00440770	2_2_00440770
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0040AF23	2_2_0040AF23
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043F730	2_2_0043F730
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043C730	2_2_0043C730
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00410FC8	2_2_00410FC8
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00426FD0	2_2_00426FD0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004387D0	2_2_004387D0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00437FE0	2_2_00437FE0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0040A780	2_2_0040A780
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041CFA0	2_2_0041CFA0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004257AC	2_2_004257AC
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00801000	2_2_00801000
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00807B46	2_2_00807B46
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00812370	2_2_00812370
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0081FCA2	2_2_0081FCA2
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0080C692	2_2_0080C692
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0081DECA	2_2_0081DECA

Source: C:\Users\user\Desktop\Script.exe	Code function: String function: 00808050 appears 102 times
Source: C:\Users\user\Desktop\Script.exe	Code function: String function: 008107A7 appears 42 times
Source: C:\Users\user\Desktop\Script.exe	Code function: String function: 00407F80 appears 48 times
Source: C:\Users\user\Desktop\Script.exe	Code function: String function: 008152BD appears 40 times
Source: C:\Users\user\Desktop\Script.exe	Code function: String function: 00414290 appears 76 times

Source: Script.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: Script.exe

Static PE information: Section: .bss ZLIB complexity 1.0003249845551894

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/0@10/1

Source: C:\Users\user\Desktop\Script.exe

Code function: 2_2_00431090 CoCreateInstance,

2_2_00431090

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7432:120:WilError_03

Source: Script.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Script.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Script.exe

Virustotal: Detection: 44%

Source: C:\Users\user\Desktop\Script.exe

File read: C:\Users\user\Desktop\Script.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Script.exe "C:\Users\user\Desktop\Script.exe"
Source: C:\Users\user\Desktop\Script.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Script.exe	Process created: C:\Users\user\Desktop\Script.exe "C:\Users\user\Desktop\Script.exe"
Source: C:\Users\user\Desktop\Script.exe	Process created: C:\Users\user\Desktop\Script.exe "C:\Users\user\Desktop\Script.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Script.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: dpapi.dll	Jump to behavior

Source: Script.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE

Source: Script.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Script.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Script.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Script.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Script.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_0080820A push ecx; ret	0_2_0080821D
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004488E1 push edi; ret	2_2_004488E3
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043F2F0 push eax; mov dword ptr [esp], F5F4FB8Ah	2_2_0043F2F2
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0080820A push ecx; ret	2_2_0080821D

Source: C:\Users\user\Desktop\Script.exe

API coverage: 3.4 %

Source: C:\Users\user\Desktop\Script.exe TID: 7512	Thread sleep time: -90000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Script.exe TID: 7512	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_0081A1A8 FindFirstFileExW,		0_2_0081A1A8
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_0081A259 FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_0081A259

Source: Script.exe, 00000002.00000003.1724108178.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725025355.00000000012D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\|
Source: Script.exe, 00000002.00000003.1724108178.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725025355.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1724859603.000000000127C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Script.exe

Code function: 2_2_0043DA10 LdrInitializeThunk,

2_2_0043DA10

Source: C:\Users\user\Desktop\Script.exe

Code function: 0_2_008104F9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_008104F9

Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_0082F19E mov edi, dword ptr fs:[00000030h]	0_2_0082F19E
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_00801360 mov edi, dword ptr fs:[00000030h]	0_2_00801360
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_00801730 mov edi, dword ptr fs:[00000030h]	0_2_00801730
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00801360 mov edi, dword ptr fs:[00000030h]	2_2_00801360
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00801730 mov edi, dword ptr fs:[00000030h]	2_2_00801730

Source: C:\Users\user\Desktop\Script.exe

Code function: 0_2_00815BB5 GetProcessHeap,

0_2_00815BB5

Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_00807B1E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00807B1E
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_008104F9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008104F9
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_00807ECE SetUnhandledExceptionFilter,	0_2_00807ECE
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_00807EDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00807EDA
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00807B1E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00807B1E
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_008104F9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_008104F9
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00807ECE SetUnhandledExceptionFilter,	2_2_00807ECE
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00807EDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00807EDA

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Script.exe

Code function: 0_2_0082F19E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_0082F19E

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Script.exe

Memory written: C:\Users\user\Desktop\Script.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Script.exe, 00000000.00000002.1671339573.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: bashfulacid.lat
Source: Script.exe, 00000000.00000002.1671339573.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: tentabatte.lat
Source: Script.exe, 00000000.00000002.1671339573.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: curverpluch.lat
Source: Script.exe, 00000000.00000002.1671339573.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: talkynicer.lat
Source: Script.exe, 00000000.00000002.1671339573.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: shapestickyr.lat
Source: Script.exe, 00000000.00000002.1671339573.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: manyrestro.lat
Source: Script.exe, 00000000.00000002.1671339573.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: slipperyloo.lat
Source: Script.exe, 00000000.00000002.1671339573.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wordyfindy.lat
Source: Script.exe, 00000000.00000002.1671339573.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: observerfry.lat

Source: C:\Users\user\Desktop\Script.exe

Process created: C:\Users\user\Desktop\Script.exe "C:\Users\user\Desktop\Script.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Script.exe	Code function: GetLocaleInfoW,	0_2_00819AB0
Source: C:\Users\user\Desktop\Script.exe	Code function: EnumSystemLocalesW,	0_2_00819A51
Source: C:\Users\user\Desktop\Script.exe	Code function: EnumSystemLocalesW,	0_2_00819B85
Source: C:\Users\user\Desktop\Script.exe	Code function: GetLocaleInfoW,	0_2_00819BD0
Source: C:\Users\user\Desktop\Script.exe	Code function: EnumSystemLocalesW,	0_2_008154A0
Source: C:\Users\user\Desktop\Script.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00819C77
Source: C:\Users\user\Desktop\Script.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00819512
Source: C:\Users\user\Desktop\Script.exe	Code function: GetLocaleInfoW,	0_2_00819D7D
Source: C:\Users\user\Desktop\Script.exe	Code function: GetLocaleInfoW,	0_2_00814EFC
Source: C:\Users\user\Desktop\Script.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_008197FE
Source: C:\Users\user\Desktop\Script.exe	Code function: EnumSystemLocalesW,	0_2_00819763
Source: C:\Users\user\Desktop\Script.exe	Code function: GetLocaleInfoW,	2_2_00819AB0
Source: C:\Users\user\Desktop\Script.exe	Code function: EnumSystemLocalesW,	2_2_00819A51
Source: C:\Users\user\Desktop\Script.exe	Code function: EnumSystemLocalesW,	2_2_00819B85
Source: C:\Users\user\Desktop\Script.exe	Code function: GetLocaleInfoW,	2_2_00819BD0
Source: C:\Users\user\Desktop\Script.exe	Code function: EnumSystemLocalesW,	2_2_008154A0
Source: C:\Users\user\Desktop\Script.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_00819C77
Source: C:\Users\user\Desktop\Script.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00819512
Source: C:\Users\user\Desktop\Script.exe	Code function: GetLocaleInfoW,	2_2_00819D7D
Source: C:\Users\user\Desktop\Script.exe	Code function: GetLocaleInfoW,	2_2_00814EFC
Source: C:\Users\user\Desktop\Script.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_008197FE
Source: C:\Users\user\Desktop\Script.exe	Code function: EnumSystemLocalesW,	2_2_00819763

Source: C:\Users\user\Desktop\Script.exe

Code function: 0_2_00808C37 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00808C37

Source: C:\Users\user\Desktop\Script.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	1 DLL Side-Loading	211 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	2 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Script.exe	44%	Virustotal		Browse
Script.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	23.55.153.106	true	false	high
wordyfindy.lat	unknown	unknown	true	unknown
slipperyloo.lat	unknown	unknown	true	unknown
curverpluch.lat	unknown	unknown	true	unknown
tentabatte.lat	unknown	unknown	true	unknown
manyrestro.lat	unknown	unknown	true	unknown
bashfulacid.lat	unknown	unknown	true	unknown
shapestickyr.lat	unknown	unknown	true	unknown
observerfry.lat	unknown	unknown	false	high
talkynicer.lat	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
slipperyloo.lat	false	high
curverpluch.lat	false	high
tentabatte.lat	false	high
manyrestro.lat	false	high
bashfulacid.lat	false	high
observerfry.lat	false	high
https://steamcommunity.com/profiles/76561199724331900	false	high
wordyfindy.lat	false	high
shapestickyr.lat	false	high
talkynicer.lat	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://steamcommunity.com/my/wishlist/	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://player.vimeo.com	Script.exe, 00000002.00000003.1724328579.00000000012DA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/?subsection=broadcasts	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://help.steampowered.com/en/	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/market/	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/news/	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/subscriber_agreement/	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.gstatic.cn/recaptcha/	Script.exe, 00000002.00000002.1725025355.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/subscriber_agreement/	Script.exe, 00000002.00000002.1724859603.000000000127C000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://recaptcha.net/recaptcha/;	Script.exe, 00000002.00000003.1724328579.00000000012DA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.valvesoftware.com/legal.htm	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/discussions/	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.youtube.com	Script.exe, 00000002.00000003.1724328579.00000000012DA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com	Script.exe, 00000002.00000003.1724328579.00000000012DA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/stats/	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://medal.tv	Script.exe, 00000002.00000003.1724328579.00000000012DA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://broadcast.st.dl.eccdnx.com	Script.exe, 00000002.00000002.1725025355.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/steam_refunds/	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	Script.exe, 00000002.00000003.1723940386.000000000128A000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	Script.exe, 00000002.00000002.1725025355.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://s.ytimg.com;	Script.exe, 00000002.00000002.1725025355.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/workshop/	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://login.steampowered.com/	Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb	Script.exe, 00000002.00000003.1724108178.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1724328579.00000000012DA000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	Script.exe, 00000002.00000002.1724859603.000000000127C000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/legal/	Script.exe, 00000002.00000002.1724859603.000000000127C000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/	Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steam.tv/	Script.exe, 00000002.00000002.1725025355.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/privacy_agreement/	Script.exe, 00000002.00000002.1724859603.000000000127C000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/points/shop/	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://recaptcha.net	Script.exe, 00000002.00000002.1725025355.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com	Script.exe, 00000002.00000002.1724859603.000000000127C000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://sketchfab.com	Script.exe, 00000002.00000003.1724328579.00000000012DA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://lv.queniujq.cn	Script.exe, 00000002.00000002.1725025355.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.youtube.com/	Script.exe, 00000002.00000002.1725025355.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	false	high
http://127.0.0.1:27060	Script.exe, 00000002.00000002.1725025355.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/privacy_agreement/	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/profiles/76561199724331900E8	Script.exe, 00000002.00000003.1724108178.00000000012AB000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1723940386.00000000012A9000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1724990643.00000000012AC000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com/recaptcha/	Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://checkout.steampowered.com/	Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://help.steampowered.com/	Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.steampowered.com/	Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/points/shop	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/account/cookiepreferences/	Script.exe, 00000002.00000002.1724859603.000000000127C000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/mobile	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/;	Script.exe, 00000002.00000003.1724234746.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1724108178.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1724328579.00000000012DA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1725071349.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/about/	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l	Script.exe, 00000002.00000003.1723915477.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.55.153.106	steamcommunity.com	United States		20940	AKAMAI-ASN1EU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580861
Start date and time:	2024-12-26 12:32:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Script.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/0@10/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 32 Number of non-executed functions: 155
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:32:57	API Interceptor	5x Sleep call for process: Script.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
23.55.153.106	3zg6i6Zu1u.exe	Get hash	malicious	LummaC	Browse
	oiF7u78bY2.exe	Get hash	malicious	LummaC	Browse
	L5Kgf2Tvkc.exe	Get hash	malicious	LummaC	Browse
	jSFUzuYPG9.exe	Get hash	malicious	LummaC	Browse
	HK8IIasL9i.exe	Get hash	malicious	LummaC	Browse
	OGBLsboKIF.exe	Get hash	malicious	LummaC	Browse
	NfwBtCx5PR.exe	Get hash	malicious	LummaC	Browse
	pJRiqnTih0.exe	Get hash	malicious	LummaC	Browse
	5XXofntDiN.exe	Get hash	malicious	LummaC	Browse
	xxLuwS60RS.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	3zg6i6Zu1u.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	oiF7u78bY2.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	L5Kgf2Tvkc.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	104.121.10.34
	2ZsJ2iP8Q2.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	LopCYSStr3.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	LNn56KMkEE.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	YYjRtxS70h.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	VBHyEN96Pw.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	BVGvbpplT8.exe	Get hash	malicious	LummaC, Stealc	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASN1EU	HVlonDQpuI.exe	Get hash	malicious	Vidar	Browse	23.44.201.30
	armv7l.elf	Get hash	malicious	Mirai	Browse	2.18.19.83
	armv5l.elf	Get hash	malicious	Mirai	Browse	23.62.62.162
	PodcastsTries.exe	Get hash	malicious	Vidar	Browse	23.209.72.39
	Canvas of Kings_N6xC-S2.exe	Get hash	malicious	Unknown	Browse	184.85.182.130
	cMTqzvmx9u.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine	Browse	88.221.134.155
	3zg6i6Zu1u.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	oiF7u78bY2.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Gq48hjKhZf.exe	Get hash	malicious	LodaRAT	Browse	172.232.216.250
	L5Kgf2Tvkc.exe	Get hash	malicious	LummaC	Browse	23.55.153.106

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	1C6ljtnwXP.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	1C6ljtnwXP.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	RIMz2N1u5y.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	5RRVBiCpFI.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	MPySEh8HaF.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe	Get hash	malicious	DBatLoader, FormBook	Browse	23.55.153.106
	ciwa.mp4.hta	Get hash	malicious	LummaC, PureLog Stealer	Browse	23.55.153.106
	Set-up.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	setup.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Set-up.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.657978411670829
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Script.exe
File size:	513'536 bytes
MD5:	67c5febee5ac88f818bf4ccda569355e
SHA1:	23ec76d3401f75dd0be8c49ae6b1bdb6e605a5b3
SHA256:	4d159c190a63848376182af0e35d175ac1aa3540544dba3167508df890d98496
SHA512:	28799299834a1f056f86c82e0ebbee8a5a7fb88cc81ecb188eeb72b327b412e0b91fb26bea941930ae99bf0ad5a0ef29491141a4e2e6857083a03adae6a2cda0
SSDEEP:	12288:6ZqOSYt4cgd2+cOJlnDYrPLPJgu4dgT6lYDfAmy/yqvykheLk:6sOSKgxbDgPLxZ4GO+y3heQ
TLSH:	27B4E161B6C1C072D96305709DF4EBB59A3EB8600F216ADFA7D4473F8E312D1873662A
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....kg.........."......:........................@.......................... ............@.....................................<..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x408be2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE
Time Stamp:	0x676BFDDD [Wed Dec 25 12:43:09 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	a9da46e39a9cdaffa6def3d7b746c0a0

Entrypoint Preview

Instruction
call 00007FB718E984DAh
jmp 00007FB718E98349h
mov ecx, dword ptr [0042F800h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007FB718E984D6h
test esi, ecx
jne 00007FB718E984F8h
call 00007FB718E98501h
mov ecx, eax
cmp ecx, edi
jne 00007FB718E984D9h
mov ecx, BB40E64Fh
jmp 00007FB718E984E0h
test esi, ecx
jne 00007FB718E984DCh
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [0042F800h], ecx
not ecx
pop edi
mov dword ptr [0042F840h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
lea eax, dword ptr [ebp-0Ch]
xorps xmm0, xmm0
push eax
movlpd qword ptr [ebp-0Ch], xmm0
call dword ptr [0042DA5Ch]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [0042DA10h]
xor dword ptr [ebp-04h], eax
call dword ptr [0042DA0Ch]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [0042DAA4h]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 00430F88h
call dword ptr [0042DA7Ch]
ret
push 00030000h
push 00010000h
push 00000000h
call 00007FB718E9F23Ah
add esp, 0Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2d7f4	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x33000	0xe8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x34000	0x1d80	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x29b28	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x25fb0	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2d9a0	0x170	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2381e	0x23a00	28687a01c6fa568872ae982fba881cfb	False	0.576404879385965	data	6.645994573837695	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x25000	0x9de4	0x9e00	47199544a5de9c952a99bdeba92246a4	False	0.4287232990506329	data	4.98242541383292	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2f000	0x2754	0x1800	8ef6ad6dc3390546a2e587d33b754c2c	False	0.3720703125	data	4.57694484359984	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x32000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x33000	0xe8	0x200	76660b904055370f27d3dce420e17802	False	0.306640625	data	2.338577594010538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x34000	0x1d80	0x1e00	454b42aa5668ecfd23670a763d59b9d2	False	0.77265625	data	6.5387366619530765	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x36000	0x4be00	0x4be00	727780c41a56cb59abea7c74869ef198	False	1.0003249845551894	data	7.999365946039725	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x33060	0x87	XML 1.0 document, ASCII text	English	United States	0.8222222222222222

Imports

DLL

Import

KERNEL32.dll

AcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, CreateThread, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeConsole, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WaitForSingleObjectEx, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

ADVAPI32.dll

CryptDestroyKey

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-26T12:32:58.601483+0100	2058514	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat)	1	192.168.2.4	63270	1.1.1.1	53	UDP
2024-12-26T12:32:58.830318+0100	2058502	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat)	1	192.168.2.4	54914	1.1.1.1	53	UDP
2024-12-26T12:32:59.052098+0100	2058492	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat)	1	192.168.2.4	56602	1.1.1.1	53	UDP
2024-12-26T12:32:59.365338+0100	2058500	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat)	1	192.168.2.4	57659	1.1.1.1	53	UDP
2024-12-26T12:32:59.596380+0100	2058510	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat)	1	192.168.2.4	63049	1.1.1.1	53	UDP
2024-12-26T12:32:59.954185+0100	2058484	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat)	1	192.168.2.4	52188	1.1.1.1	53	UDP
2024-12-26T12:33:00.320643+0100	2058512	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat)	1	192.168.2.4	52068	1.1.1.1	53	UDP
2024-12-26T12:33:00.542140+0100	2058480	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat)	1	192.168.2.4	64387	1.1.1.1	53	UDP
2024-12-26T12:33:02.584284+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	23.55.153.106	443	TCP
2024-12-26T12:33:03.402350+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.4	49730	23.55.153.106	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 26, 2024 12:33:01.096652985 CET	49730	443	192.168.2.4	23.55.153.106
Dec 26, 2024 12:33:01.096693039 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:33:01.096901894 CET	49730	443	192.168.2.4	23.55.153.106
Dec 26, 2024 12:33:01.100040913 CET	49730	443	192.168.2.4	23.55.153.106
Dec 26, 2024 12:33:01.100052118 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:33:02.584198952 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:33:02.584284067 CET	49730	443	192.168.2.4	23.55.153.106
Dec 26, 2024 12:33:02.588910103 CET	49730	443	192.168.2.4	23.55.153.106
Dec 26, 2024 12:33:02.588922024 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:33:02.589190006 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:33:02.630156994 CET	49730	443	192.168.2.4	23.55.153.106
Dec 26, 2024 12:33:02.652082920 CET	49730	443	192.168.2.4	23.55.153.106
Dec 26, 2024 12:33:02.699336052 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:33:03.402419090 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:33:03.402451038 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:33:03.402491093 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:33:03.402508974 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:33:03.402518988 CET	49730	443	192.168.2.4	23.55.153.106
Dec 26, 2024 12:33:03.402537107 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:33:03.402548075 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:33:03.402597904 CET	49730	443	192.168.2.4	23.55.153.106
Dec 26, 2024 12:33:03.402664900 CET	49730	443	192.168.2.4	23.55.153.106
Dec 26, 2024 12:33:03.594597101 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:33:03.594644070 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:33:03.594657898 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:33:03.594680071 CET	49730	443	192.168.2.4	23.55.153.106
Dec 26, 2024 12:33:03.594696045 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:33:03.594739914 CET	49730	443	192.168.2.4	23.55.153.106
Dec 26, 2024 12:33:03.595983028 CET	49730	443	192.168.2.4	23.55.153.106
Dec 26, 2024 12:33:03.595993042 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:33:03.596144915 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:33:03.596174955 CET	443	49730	23.55.153.106	192.168.2.4
Dec 26, 2024 12:33:03.596220970 CET	49730	443	192.168.2.4	23.55.153.106
Dec 26, 2024 12:33:03.596375942 CET	49730	443	192.168.2.4	23.55.153.106
Dec 26, 2024 12:33:03.596389055 CET	443	49730	23.55.153.106	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 26, 2024 12:32:58.379947901 CET	56510	53	192.168.2.4	1.1.1.1
Dec 26, 2024 12:32:58.598943949 CET	53	56510	1.1.1.1	192.168.2.4
Dec 26, 2024 12:32:58.601483107 CET	63270	53	192.168.2.4	1.1.1.1
Dec 26, 2024 12:32:58.826196909 CET	53	63270	1.1.1.1	192.168.2.4
Dec 26, 2024 12:32:58.830317974 CET	54914	53	192.168.2.4	1.1.1.1
Dec 26, 2024 12:32:59.047708035 CET	53	54914	1.1.1.1	192.168.2.4
Dec 26, 2024 12:32:59.052098036 CET	56602	53	192.168.2.4	1.1.1.1
Dec 26, 2024 12:32:59.362476110 CET	53	56602	1.1.1.1	192.168.2.4
Dec 26, 2024 12:32:59.365338087 CET	57659	53	192.168.2.4	1.1.1.1
Dec 26, 2024 12:32:59.594142914 CET	53	57659	1.1.1.1	192.168.2.4
Dec 26, 2024 12:32:59.596379995 CET	63049	53	192.168.2.4	1.1.1.1
Dec 26, 2024 12:32:59.916052103 CET	53	63049	1.1.1.1	192.168.2.4
Dec 26, 2024 12:32:59.954185009 CET	52188	53	192.168.2.4	1.1.1.1
Dec 26, 2024 12:33:00.256306887 CET	53	52188	1.1.1.1	192.168.2.4
Dec 26, 2024 12:33:00.320642948 CET	52068	53	192.168.2.4	1.1.1.1
Dec 26, 2024 12:33:00.540072918 CET	53	52068	1.1.1.1	192.168.2.4
Dec 26, 2024 12:33:00.542140007 CET	64387	53	192.168.2.4	1.1.1.1
Dec 26, 2024 12:33:00.945806026 CET	53	64387	1.1.1.1	192.168.2.4
Dec 26, 2024 12:33:00.947418928 CET	51272	53	192.168.2.4	1.1.1.1
Dec 26, 2024 12:33:01.090037107 CET	53	51272	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 26, 2024 12:32:58.379947901 CET	192.168.2.4	1.1.1.1	0xf097	Standard query (0)	observerfry.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:32:58.601483107 CET	192.168.2.4	1.1.1.1	0xdcd9	Standard query (0)	wordyfindy.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:32:58.830317974 CET	192.168.2.4	1.1.1.1	0x70fc	Standard query (0)	slipperyloo.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:32:59.052098036 CET	192.168.2.4	1.1.1.1	0x8c86	Standard query (0)	manyrestro.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:32:59.365338087 CET	192.168.2.4	1.1.1.1	0xa8fc	Standard query (0)	shapestickyr.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:32:59.596379995 CET	192.168.2.4	1.1.1.1	0xa441	Standard query (0)	talkynicer.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:32:59.954185009 CET	192.168.2.4	1.1.1.1	0xc3c1	Standard query (0)	curverpluch.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:33:00.320642948 CET	192.168.2.4	1.1.1.1	0x984c	Standard query (0)	tentabatte.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:33:00.542140007 CET	192.168.2.4	1.1.1.1	0x7bfc	Standard query (0)	bashfulacid.lat	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:33:00.947418928 CET	192.168.2.4	1.1.1.1	0x7be8	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 26, 2024 12:32:58.598943949 CET	1.1.1.1	192.168.2.4	0xf097	Name error (3)	observerfry.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:32:58.826196909 CET	1.1.1.1	192.168.2.4	0xdcd9	Name error (3)	wordyfindy.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:32:59.047708035 CET	1.1.1.1	192.168.2.4	0x70fc	Name error (3)	slipperyloo.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:32:59.362476110 CET	1.1.1.1	192.168.2.4	0x8c86	Name error (3)	manyrestro.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:32:59.594142914 CET	1.1.1.1	192.168.2.4	0xa8fc	Name error (3)	shapestickyr.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:32:59.916052103 CET	1.1.1.1	192.168.2.4	0xa441	Name error (3)	talkynicer.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:33:00.256306887 CET	1.1.1.1	192.168.2.4	0xc3c1	Name error (3)	curverpluch.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:33:00.540072918 CET	1.1.1.1	192.168.2.4	0x984c	Name error (3)	tentabatte.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:33:00.945806026 CET	1.1.1.1	192.168.2.4	0x7bfc	Name error (3)	bashfulacid.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:33:01.090037107 CET	1.1.1.1	192.168.2.4	0x7be8	No error (0)	steamcommunity.com		23.55.153.106	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	23.55.153.106	443	7492	C:\Users\user\Desktop\Script.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-26 11:33:02 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-12-26 11:33:03 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 26 Dec 2024 11:33:03 GMT Content-Length: 25665 Connection: close Set-Cookie: sessionid=e67d40d0cdbbde9dda121e45; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2024-12-26 11:33:03 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2024-12-26 11:33:03 UTC	10097	IN	Data Raw: 3f 6c 3d 6b 6f 72 65 61 6e 61 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6b 6f 72 65 61 6e 61 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e ed 95 9c ea b5 ad ec 96 b4 20 28 4b 6f 72 65 61 6e 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ?l=koreana" onclick="ChangeLanguage( 'koreana' ); return false;"> (Korean)</a><a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a>
2024-12-26 11:33:03 UTC	1089	IN	Data Raw: 68 65 69 72 20 72 65 73 70 65 63 74 69 76 65 20 6f 77 6e 65 72 73 20 69 6e 20 74 68 65 20 55 53 20 61 6e 64 20 6f 74 68 65 72 20 63 6f 75 6e 74 72 69 65 73 2e 3c 62 72 2f 3e 53 6f 6d 65 20 67 65 6f 73 70 61 74 69 61 6c 20 64 61 74 61 20 6f 6e 20 74 68 69 73 20 77 65 62 73 69 74 65 20 69 73 20 70 72 6f 76 69 64 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 6c 69 6e 6b 66 69 6c 74 65 72 2f 3f 75 3d 68 74 74 70 25 33 41 25 32 46 25 32 46 77 77 77 2e 67 65 6f 6e 61 6d 65 73 2e 6f 72 67 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 72 65 6c 3d 22 20 6e 6f 6f 70 65 6e 65 72 22 3e 67 65 6f 6e 61 6d 65 73 2e 6f 72 67 3c 2f 61 3e 2e 09 09 09 09 09 3c 62 72 3e 0a 09 09 09 09 09 Data Ascii: heir respective owners in the US and other countries.<br/>Some geospatial data on this website is provided by <a href="https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org" target="_blank" rel=" noopener">geonames.org</a>.<br>

Target ID:	0
Start time:	06:32:56
Start date:	26/12/2024
Path:	C:\Users\user\Desktop\Script.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Script.exe"
Imagebase:	0x800000
File size:	513'536 bytes
MD5 hash:	67C5FEBEE5AC88F818BF4CCDA569355E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:32:56
Start date:	26/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:32:56
Start date:	26/12/2024
Path:	C:\Users\user\Desktop\Script.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Script.exe"
Imagebase:	0x800000
File size:	513'536 bytes
MD5 hash:	67C5FEBEE5AC88F818BF4CCDA569355E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.2%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	3.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	54

Executed Functions

Function 0082F19E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,0082F110,0082F100), ref: 0082F334
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0082F347
Wow64GetThreadContext.KERNEL32(00000118,00000000), ref: 0082F365
ReadProcessMemory.KERNELBASE(0000011C,?,0082F154,00000004,00000000), ref: 0082F389
VirtualAllocEx.KERNELBASE(0000011C,?,?,00003000,00000040), ref: 0082F3B4
WriteProcessMemory.KERNELBASE(0000011C,00000000,?,?,00000000,?), ref: 0082F40C
WriteProcessMemory.KERNELBASE(0000011C,00400000,?,?,00000000,?,00000028), ref: 0082F457
WriteProcessMemory.KERNELBASE(0000011C,?,?,00000004,00000000), ref: 0082F495
Wow64SetThreadContext.KERNEL32(00000118,00DD0000), ref: 0082F4D1
ResumeThread.KERNELBASE(00000118), ref: 0082F4E0

Strings

WriteProcessMemory, xrefs: 0082F2AF
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 0082F333
GetThreadContext, xrefs: 0082F276
CreateProcessW, xrefs: 0082F250
ReadProcessMemory, xrefs: 0082F289
GetP, xrefs: 0082F21E
Load, xrefs: 0082F1DA
aryA, xrefs: 0082F1E2
VirtualAlloc, xrefs: 0082F263
ResumeThread, xrefs: 0082F2D8
ress, xrefs: 0082F226
VirtualAllocEx, xrefs: 0082F29C
SetThreadContext, xrefs: 0082F2C2
TerminateProcess, xrefs: 0082F3C3

Memory Dump Source

Source File: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-3857624555
Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction ID: b26e344bd2dbf6caf785f9001d8403f5a6f2b94cfdc7605fabf0ec6d3acc44a6
Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction Fuzzy Hash: F1B1E57664064AAFDB60CF68CC80BDA73A5FF88714F158524EA08EB342D774FA51CB94

Function 00801730 Relevance: 12.2, APIs: 8, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00801180: _strlen.LIBCMT ref: 008011EA

CreateFileA.KERNELBASE ref: 00801791
GetFileSize.KERNEL32(00000000,00000000), ref: 008017A1
ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 008017C7
CloseHandle.KERNELBASE(00000000), ref: 008017D6
_strlen.LIBCMT ref: 00801834
CloseHandle.KERNEL32(00000000), ref: 00801946
GetModuleHandleA.KERNEL32(00000000), ref: 008019A7
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 008019B6

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: File$Handle$CloseModule_strlen$CreateNameReadSize
String ID:
API String ID: 4043702072-0
Opcode ID: 78cbe540d81b8af2855bf38e89ba3f7a7691eb7c6b2cb9f0932003147c610716
Instruction ID: aa2d2600634c3ae861eb9d29c961626da3c12fb9e2bbb305c6fc399f5f5e420b
Opcode Fuzzy Hash: 78cbe540d81b8af2855bf38e89ba3f7a7691eb7c6b2cb9f0932003147c610716
Instruction Fuzzy Hash: 4C61F6B29043019FDB50EF28CC89B2ABBE4FF99324F458928F489D7291E734D9448793

Function 00801360 Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

Soon... Soon..., xrefs: 0080150B

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID:
String ID: Soon... Soon...
API String ID: 0-2191780827
Opcode ID: a3610db38ef29b445b653f89cea45805b1f5ab3ec7ae582f1b6c59c5da300673
Instruction ID: 95af04a3c98136a694dc7a1aacddfcfb0ce999bde9820c22c171346abb64c73d
Opcode Fuzzy Hash: a3610db38ef29b445b653f89cea45805b1f5ab3ec7ae582f1b6c59c5da300673
Instruction Fuzzy Hash: 1B71B6352093448FC754DB28D8996FABBE5FFD5324F18486DE48ACB392C634D944CB92

Function 008151F2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,B7B1FB39,?,00815301,?,?,00000000), ref: 008152B3

Strings

ext-ms-, xrefs: 0081525D
api-ms-, xrefs: 00815249

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 4e6b7944413d0bbe51c2bc9c32f8bcbe574c530f2f04072af0cad8b78c95f98b
Instruction ID: 2c2ec1a3248032914d8bc9d670d8a3628944364ff3b2cee5f8bdee548ae2d0bd
Opcode Fuzzy Hash: 4e6b7944413d0bbe51c2bc9c32f8bcbe574c530f2f04072af0cad8b78c95f98b
Instruction Fuzzy Hash: A4210233A01A25EBCB219B65AC45EDA7B6CFFC1760F200520ED16E7280D734ED80C6D0

Function 00801B30 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strlen.LIBCMT ref: 00801B4A

Strings

ios_base::badbit set, xrefs: 00801EE4, 00801F02
ios_base::eofbit set, xrefs: 00801ED4
ios_base::failbit set, xrefs: 00801ED9

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: _strlen
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 4218353326-1866435925
Opcode ID: ef78bea0313dcb8e37cdfea193307389afbe197893ebf72e17b4bf637dbf3d8e
Instruction ID: 43ec8c08ffa3081cc5ef54016d7302bf23c5df0b52914380b2226be939851eb0
Opcode Fuzzy Hash: ef78bea0313dcb8e37cdfea193307389afbe197893ebf72e17b4bf637dbf3d8e
Instruction Fuzzy Hash: CCC17B352042018FDB54CF28C898B6AB7E1FF89328F55866CE999CB3A1D735EC45CB81

Function 0080DA29 Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(?,?,Function_0000DB41,00000000,?,?), ref: 0080DA72
GetLastError.KERNEL32 ref: 0080DA7E
__dosmaperr.LIBCMT ref: 0080DA85

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: dc0abdaf6b493285f95fc51bc6deba4f3c9546c099fd5efd556d032fa0fe7bb3
Instruction ID: aab3c40a728030242e3196fbe26717f5fe4072bd56085b94183888caa69baaa5
Opcode Fuzzy Hash: dc0abdaf6b493285f95fc51bc6deba4f3c9546c099fd5efd556d032fa0fe7bb3
Instruction Fuzzy Hash: BA016972614329AFDF559FE4DC06A9E7BA5FF40364F108028FC01D2191DB708A40DB91

Function 0080DBBF Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008145B4: GetLastError.KERNEL32(00000000,?,0080FDB2,008155E2,?,?,008144B0,00000001,00000364,?,00000003,000000FF,?,0080DB66,0082E6D8,0000000C), ref: 008145B8
Part of subcall function 008145B4: SetLastError.KERNEL32(00000000), ref: 0081465A

CloseHandle.KERNEL32(?,?,?,0080DAB9,?,?,0080DB9F,00000000), ref: 0080DBF0
FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,0080DAB9,?,?,0080DB9F,00000000), ref: 0080DC06
ExitThread.KERNEL32 ref: 0080DC0F

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary
String ID:
API String ID: 1991824761-0
Opcode ID: 6c9476eac27d9cf3b8df6c3f264ab3d78ef1daa88e40f87104d25b2a49f6ce5a
Instruction ID: 0190da64c7f3d0c78d88b78c83f8ef635d676f6f9bc05bb9d1e228490b121b2a
Opcode Fuzzy Hash: 6c9476eac27d9cf3b8df6c3f264ab3d78ef1daa88e40f87104d25b2a49f6ce5a
Instruction Fuzzy Hash: 4CF0F8315017016BEB716BA9CD09A9A3FD9FF41360B198710FC65C76E1DB60DC82C651

Function 0080DD30 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000002,?,0080DDF2,00810A45,00810A45,?,00000002,B7B1FB39,00810A45,00000002), ref: 0080DD41
TerminateProcess.KERNEL32(00000000,?,0080DDF2,00810A45,00810A45,?,00000002,B7B1FB39,00810A45,00000002), ref: 0080DD48
ExitProcess.KERNEL32 ref: 0080DD5A

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: d8d956b1c432790e47c9d623be69eefe1a7da2c220c53dccdb2154aaa8a6c5b8
Instruction ID: 1eb3b5df1a7f2e48a0185a6189bf78044eb3fa24c4ad22ad5b2eed842183c3af
Opcode Fuzzy Hash: d8d956b1c432790e47c9d623be69eefe1a7da2c220c53dccdb2154aaa8a6c5b8
Instruction Fuzzy Hash: 43D06C32004318BBCBA12FA4DD0D9893F6AFB84341B148010B90A8A1B2CB7199939B81

Function 00802780 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 118
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strlen.LIBCMT ref: 008027A8

Strings

ios_base::badbit set, xrefs: 00802782

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: _strlen
String ID: ios_base::badbit set
API String ID: 4218353326-3882152299
Opcode ID: cef838cc6bfe155c71b34a88eac02bc020bb68166cf1b15d08ecc10a51163600
Instruction ID: c42a131ce7aa2910b70c3f15e8b69b373d19114151885f48ee6675346a16059e
Opcode Fuzzy Hash: cef838cc6bfe155c71b34a88eac02bc020bb68166cf1b15d08ecc10a51163600
Instruction Fuzzy Hash: E731FEB1A043059BD740EF28CC8991EBAEAFF99304F154929F085C7282E771D98887A3

Function 0081BE60 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0081C20A: GetConsoleOutputCP.KERNEL32(B7B1FB39,00000000,00000000,?), ref: 0081C26D

WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,?,?,?,0080C0E2,?,0080C344), ref: 0081BFE5
GetLastError.KERNEL32(?,0080C0E2,?,0080C344,?,0080C344,?,?,?,?,?,?,?,?,?,?), ref: 0081BFEF

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 889cfce3d2732c471afe337ea3dcb3a716e1ef2325bff705b58855f3bc9fa348
Instruction ID: f0c9c29f0728f273cd02203e4c37c1432b4e5fe8354a16f65c7e1916c9bed56f
Opcode Fuzzy Hash: 889cfce3d2732c471afe337ea3dcb3a716e1ef2325bff705b58855f3bc9fa348
Instruction Fuzzy Hash: 5D619D71904219AFDF15DFA8CC84AEEBBBDFF49308F140185E900E7252D772D9828BA1

Function 0081C639 Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,0081BFCB,?,0080C344,?,?,?,00000000), ref: 0081C6D5
GetLastError.KERNEL32(?,0081BFCB,?,0080C344,?,?,?,00000000,?,?,?,?,?,0080C0E2,?,0080C344), ref: 0081C6FB

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: b79813f8b14d77d6581588dc5413f0f9a1fce46c0c890e7c3ad0cfa106222081
Instruction ID: 9a3163c9e390531863c4ea5b39aa48522c1ec15b21b7986d266f6210de5e2d8c
Opcode Fuzzy Hash: b79813f8b14d77d6581588dc5413f0f9a1fce46c0c890e7c3ad0cfa106222081
Instruction Fuzzy Hash: 64217C74A002199FCB15CF29DC80AE9B7BAFF59305F2440AAE946D7251D7309E82CF60

Function 00815D12 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,?,00000000,00815C01,0082EC08), ref: 00815D5E
GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,00815C01,0082EC08), ref: 00815D70

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 2c70f4493e128fb33ef5f88f12ad33f4c91b101a85e01968961dbcd48ad19db3
Instruction ID: f49ad1890981c0f8bc1fde91ae787d88584f22959c44d13adb5fb98ef576ad7e
Opcode Fuzzy Hash: 2c70f4493e128fb33ef5f88f12ad33f4c91b101a85e01968961dbcd48ad19db3
Instruction Fuzzy Hash: D7116061504F51CACB308A3EAC9C5A26AAAFFD6334B380769D1B7C65F1C624D8C6D741

Function 00801A80 Relevance: 3.1, APIs: 2, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE ref: 00801A90

Part of subcall function 00801B30: _strlen.LIBCMT ref: 00801B4A

Part of subcall function 00803510: std::_Lockit::_Lockit.LIBCPMT ref: 0080352C
Part of subcall function 00803510: std::_Lockit::_Lockit.LIBCPMT ref: 0080354A
Part of subcall function 00803510: std::_Lockit::~_Lockit.LIBCPMT ref: 0080356C
Part of subcall function 00803510: std::_Lockit::~_Lockit.LIBCPMT ref: 008035DA

KiUserExceptionDispatcher.NTDLL(00000000,00000000), ref: 00801B07

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$ConsoleDispatcherExceptionFreeUser_strlen
String ID:
API String ID: 2861529853-0
Opcode ID: 1a70df675f36dd4c7e019a401621944115419aa1c66a16229ad9e153f04c7145
Instruction ID: 69d76e6f2789b0d6461c114d602e58c2c9d7283fcc64e815d977965180b1ce7f
Opcode Fuzzy Hash: 1a70df675f36dd4c7e019a401621944115419aa1c66a16229ad9e153f04c7145
Instruction Fuzzy Hash: D21130347002009FCB94AB78DC5EA2A7BE4FF89751B458468F44ACB3E2DA30DC41CB52

Function 0080DB41 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(0082E6D8,0000000C), ref: 0080DB54
ExitThread.KERNEL32 ref: 0080DB5B

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: e5c584a36fd84672d3baa18958393fa7a17dc5001453bf000b69cb056fb91cd6
Instruction ID: d8209ae0fb893ca627c925dd0433c26fb2c9ba4c4ebdbd30673622a727d84168
Opcode Fuzzy Hash: e5c584a36fd84672d3baa18958393fa7a17dc5001453bf000b69cb056fb91cd6
Instruction Fuzzy Hash: ECF04F719047149FEB10ABB4DC4AAAE3B74FF84720F204549F401D72A2CB755981CFA2

Function 008141D7 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00818554,?,00000000,?,?,008181F4,?,00000007,?,?,00818B3A,?,?), ref: 008141ED
GetLastError.KERNEL32(?,?,00818554,?,00000000,?,?,008181F4,?,00000007,?,?,00818B3A,?,?), ref: 008141F8

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: a437563259e9a08c675b9b3b72fe208aeb1dd6370c317daa573a861f1a992baa
Instruction ID: af126660a949b91ab22984afa3051542ba6566746fb62cc259b28d1268b590f8
Opcode Fuzzy Hash: a437563259e9a08c675b9b3b72fe208aeb1dd6370c317daa573a861f1a992baa
Instruction Fuzzy Hash: 5BE08C32104214ABCB312BA8AC0CF893BADFF80B51F118020FA08C78A2CB70C8C0CB94

Function 00814463 Relevance: 2.6, APIs: 2, Instructions: 71COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0080DB66,0082E6D8,0000000C), ref: 00814467
SetLastError.KERNEL32(00000000), ref: 00814509

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 956b10c552af9642c474fafe05bbdf0795f2164e293c95cafad7bc0c8e3c23b3
Instruction ID: a255a6ebec9a5ce3e85d05b6530425dce9718dda7a259e4abe1574ce5dbaf017
Opcode Fuzzy Hash: 956b10c552af9642c474fafe05bbdf0795f2164e293c95cafad7bc0c8e3c23b3
Instruction Fuzzy Hash: 83110A71206315BFD7202B789CC6FEB3A9DFF107797202230FA11D20E2DA544CC58195

Function 0080681D Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 678b5fac3e2ea4ec52e62f1fd949fb4ff7d15369ec72f7b56beab75960ba9d79
Instruction ID: 10b0e758b9f092d7ce525a66ae28fb16d13722ed181639ce42953d6b0397cf54
Opcode Fuzzy Hash: 678b5fac3e2ea4ec52e62f1fd949fb4ff7d15369ec72f7b56beab75960ba9d79
Instruction Fuzzy Hash: 22418F72A0011BAFCF54DF68C8909EDBBB9FF08314B544139E542E7A80E731E965DB90

Function 00805541 Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64962c6347c26333cd02f3a56f1b1cc7352aec0e484fbd43db9bf01486abc297
Instruction ID: 0e28e0e74a364654a0ea0d3ec6faf229127d066b492c8884fb4749a0b9079155
Opcode Fuzzy Hash: 64962c6347c26333cd02f3a56f1b1cc7352aec0e484fbd43db9bf01486abc297
Instruction Fuzzy Hash: E531807290051AAFCF54CE68CC848EEB7B9FF19324B54026AE521E76D0E731E954CFA0

Function 00801660 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00801180: _strlen.LIBCMT ref: 008011EA

VirtualProtect.KERNELBASE(0082F011,00000549,00000040,?), ref: 008016E0

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: ProtectVirtual_strlen
String ID:
API String ID: 1613229118-0
Opcode ID: ab877bca722448e78b8dc872d4e59416da23652f48db8e86ef2a7719254402ec
Instruction ID: 3dfa0735331236495d11bb3684b6ebabfaa3799fcee10dc740b0f702a179b6b0
Opcode Fuzzy Hash: ab877bca722448e78b8dc872d4e59416da23652f48db8e86ef2a7719254402ec
Instruction Fuzzy Hash: 4C118631A40618ABEF44AB68AC07EAF7774FF84714F404474F714E72D3EA75A95086D1

Function 008152BD Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cce9727430ae799b1ae538cb6c97972317df7d96ab936037375595e18eb9027c
Instruction ID: b1f821cbc47ad0cf2f2685dbf690ae4e511084b5e20db7b97ef9427ecfc26681
Opcode Fuzzy Hash: cce9727430ae799b1ae538cb6c97972317df7d96ab936037375595e18eb9027c
Instruction Fuzzy Hash: 4F01B533200A25DF9B129F6CEC40A9677FAFFC67647648139F624CB295EA31D881D790

Function 00805533 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: CriticalLeaveSection
String ID:
API String ID: 3988221542-0
Opcode ID: 7b4051df8a7b4b602d8c42bf8eb737e12f516622af6ab65b1adb4263347e5d1c
Instruction ID: bcf872c75e56090c39c04943e673aec852a1914e028c6bd8d046a838f24d2fc4
Opcode Fuzzy Hash: 7b4051df8a7b4b602d8c42bf8eb737e12f516622af6ab65b1adb4263347e5d1c
Instruction Fuzzy Hash: EFF02832618A864BCBD58ABCEC6566F7F10FF66334B6051AFE412D94C2DA034811CB61

Function 00815590 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,008144B0,00000001,00000364,?,00000003,000000FF,?,0080DB66,0082E6D8,0000000C), ref: 008155D1

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0bb85c684d3edd4aa8d68c5b767245c5b64690df4b2c36c130bdb89d6abfadc6
Instruction ID: 7cfc77afe9aad4a62ed4271d3e48628585e39d802a3ca36c762ccec314c9cdf6
Opcode Fuzzy Hash: 0bb85c684d3edd4aa8d68c5b767245c5b64690df4b2c36c130bdb89d6abfadc6
Instruction Fuzzy Hash: 1BF0B432605A24E6EB212A669C05ADA3B5FFFC1770B248011A815E6494DE60DD8086E1

Function 00814211 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,008161EA,?,?,008161EA,00000220,?,00000000,?), ref: 00814243

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 49c116d28dab757ef58dd5279ac341a84f124e19201870e40a596a7b1d7b0b8d
Instruction ID: 104dd0c76532f47f6caf6286a20b529718458f80af2ca5df8f9099c234def7dc
Opcode Fuzzy Hash: 49c116d28dab757ef58dd5279ac341a84f124e19201870e40a596a7b1d7b0b8d
Instruction Fuzzy Hash: 50E09B3250522557EB312A659C04FDA3A5CFFC6BA4F155120FC19D74D1DB70DCC085E5

Non-executed Functions

Function 0081FCA2 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1479COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0081FEB9

Strings

1#SNAN, xrefs: 0081FDAE
1#QNAN, xrefs: 0081FDB5
1#IND, xrefs: 0081FDA7
1#INF, xrefs: 0081FDD8

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 248734ae188f1df3fd460c5f7afadc8174b11ee602e5c01f1bea2693d37200dd
Instruction ID: 084262eb2f008263168ce0c3fb3c1b0b1f3d948390f66fbd17110de35b461a94
Opcode Fuzzy Hash: 248734ae188f1df3fd460c5f7afadc8174b11ee602e5c01f1bea2693d37200dd
Instruction Fuzzy Hash: D0D21471E086288BDB65CE28ED447EAB7B5FB54305F1441EAD80DE6241EB78AEC18F41

Function 00819C77 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00819648,00000002,00000000,?,?,?,00819648,?,00000000), ref: 00819D10
GetLocaleInfoW.KERNEL32(?,20001004,00819648,00000002,00000000,?,?,?,00819648,?,00000000), ref: 00819D39
GetACP.KERNEL32(?,?,00819648,?,00000000), ref: 00819D4E

Strings

ACP, xrefs: 00819C95
OCP, xrefs: 00819CCB

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: f760a4477d8e8e13e940f701f6338e9de521ab9f3ae340f8f05b93c3c9be8da1
Instruction ID: 0118c480f180abf36344ef73607711149e393c60e44ca10a6166292a12e085e3
Opcode Fuzzy Hash: f760a4477d8e8e13e940f701f6338e9de521ab9f3ae340f8f05b93c3c9be8da1
Instruction Fuzzy Hash: EE21A122B00105AAEB348B25D921AE777EEFF54B54B568424E9CAD7214E732DEC1C390

Function 00819512 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00814463: GetLastError.KERNEL32(?,?,0080DB66,0082E6D8,0000000C), ref: 00814467
Part of subcall function 00814463: SetLastError.KERNEL32(00000000), ref: 00814509

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 0081961A
IsValidCodePage.KERNEL32(00000000), ref: 00819658
IsValidLocale.KERNEL32(?,00000001), ref: 0081966B
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 008196B3
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 008196CE

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 4a940cf77a20cd576b5d86b941b9b35bd6351439cd72eb668cbb56716ada6c0c
Instruction ID: e2d1609109e7846b41b7ac8c9707ca98482378d70fc3dc50bb9e3ac43bdc757e
Opcode Fuzzy Hash: 4a940cf77a20cd576b5d86b941b9b35bd6351439cd72eb668cbb56716ada6c0c
Instruction Fuzzy Hash: 89518C71A00219EBDF21DFA9DCA1EEA77BCFF58700F144429F941E7190EB7099808B61

Function 00812370 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd5e9c3d5b8dfd3e6dc0569d32db29be04432f65769e57fa47aedbbc9c5abd24
Instruction ID: aa88c898afec6d94c20c16a356c15da0d6d2fbf0a60cd344dfd2c9ab35536e97
Opcode Fuzzy Hash: bd5e9c3d5b8dfd3e6dc0569d32db29be04432f65769e57fa47aedbbc9c5abd24
Instruction Fuzzy Hash: DE022A71E012199FDF14CFA9D890AEEBBB5FF48314F248269D919E7380D731A9918B90

Function 0081A259 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0081A349

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: eb0bee132d0ed58335a58121e189b397b8e308466abf405e03c426c6ce713db4
Instruction ID: a6d3e5cc5fbc0f1e2efcb93de6f18f7ad0d1dd1011886237ef38574a01e69bc4
Opcode Fuzzy Hash: eb0bee132d0ed58335a58121e189b397b8e308466abf405e03c426c6ce713db4
Instruction Fuzzy Hash: C271BFB58061686EDF29AF28CC8DAEABBBDFF45300F1441D9E409E3211DA314EC59F16

Function 00807EDA Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00807EE6
IsDebuggerPresent.KERNEL32 ref: 00807FB2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00807FCB
UnhandledExceptionFilter.KERNEL32(?), ref: 00807FD5

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: d33fa7ca547c97462579e30e354f9fed07c02c3df8489752b1ebda8de3127b90
Instruction ID: 263957b074e0fbb8bb38a856debdcc13a6201b958f263c16c57b1378beba0f7e
Opcode Fuzzy Hash: d33fa7ca547c97462579e30e354f9fed07c02c3df8489752b1ebda8de3127b90
Instruction Fuzzy Hash: 5531E775D053299BDB61DF64DD49BCDBBB8BF08300F1041AAE40DAB290EB719A85CF45

Function 00808C37 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00808C49
GetCurrentThreadId.KERNEL32 ref: 00808C58
GetCurrentProcessId.KERNEL32 ref: 00808C61
QueryPerformanceCounter.KERNEL32(?), ref: 00808C6E

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 4220f6d3cd1cb2bbd5efd9814bbe524fa2d07ef25198c3bdf259729d4fc24de8
Instruction ID: a46d594004e5d12f4e43114e5ed81c37f19f179ceb348c36ff8256d42dc5197c
Opcode Fuzzy Hash: 4220f6d3cd1cb2bbd5efd9814bbe524fa2d07ef25198c3bdf259729d4fc24de8
Instruction Fuzzy Hash: 73F0B231C0021CEBCB00DBB4CA4998EBBF4FF1C200BA18996A412F7510E730AB05CB50

Function 008197FE Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00814463: GetLastError.KERNEL32(?,?,0080DB66,0082E6D8,0000000C), ref: 00814467
Part of subcall function 00814463: SetLastError.KERNEL32(00000000), ref: 00814509

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00819852
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0081989C
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00819962

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 57d1f81b6db785842dcd9b6dcfeede81bf38c06b5bd60c9190458bbed3650142
Instruction ID: cedb4cdde6bd0a715722ca3a07e4dc3fb92fe63cd9d67253af669c142eb003a0
Opcode Fuzzy Hash: 57d1f81b6db785842dcd9b6dcfeede81bf38c06b5bd60c9190458bbed3650142
Instruction Fuzzy Hash: 9B617D719102179BDB289F28DCA2BFA77ACFF08710F108079E949C6285E734DAC5CB51

Function 008104F9 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 008105F1
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 008105FB
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 00810608

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 30c66ac6ff55575f38429b06fd87b230553bfb146a18db75c0c913be8f1850d4
Instruction ID: 431537a29b0584aaab469148755cc488cc2401b457a3b426c10ee9ef709b9563
Opcode Fuzzy Hash: 30c66ac6ff55575f38429b06fd87b230553bfb146a18db75c0c913be8f1850d4
Instruction Fuzzy Hash: E831C4749013299BCB61DF28DC897CDBBB8FF18310F5041EAE40DA6290EB709B818F45

Function 00807B46 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00807B5C

Strings

MZx, xrefs: 00807DE9

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID: MZx
API String ID: 2325560087-2575928145
Opcode ID: cf79af2ce45ff96d7da3d0eee462356664cd489a284e33bc533227098f496bc5
Instruction ID: ad5fc36d8a4434765d23b29a7b5f49529413a1aca533d1ccc2113712258511ca
Opcode Fuzzy Hash: cf79af2ce45ff96d7da3d0eee462356664cd489a284e33bc533227098f496bc5
Instruction Fuzzy Hash: 56A15AB1E056098BDB68CF58EC816A9BBF0FB48714F24C57AD505E73A5D334A841CF90

Function 0081DECA Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0081DE25,?,?,00000008,?,?,008242BB,00000000), ref: 0081E0F7

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 2196ed248a36b8520d224ebd2bd7ffa34a2695a7a4d14a0f79bcc1b8ed9ab3d3
Instruction ID: 748d8d1708cee2f16996df755e38f59f6b9b6778126c95a60f08970cdcca872b
Opcode Fuzzy Hash: 2196ed248a36b8520d224ebd2bd7ffa34a2695a7a4d14a0f79bcc1b8ed9ab3d3
Instruction Fuzzy Hash: BBB17E31610609DFD715CF28C48ABA47BE5FF49365F298658E89ACF2A1C375E9C2CB40

Function 0081A1A8 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00815590: RtlAllocateHeap.NTDLL(00000008,?,?,?,008144B0,00000001,00000364,?,00000003,000000FF,?,0080DB66,0082E6D8,0000000C), ref: 008155D1

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0081A349
FindNextFileW.KERNEL32(00000000,?), ref: 0081A43D
FindClose.KERNEL32(00000000), ref: 0081A47C
FindClose.KERNEL32(00000000), ref: 0081A4AF

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: Find$CloseFile$AllocateFirstHeapNext
String ID:
API String ID: 4087847297-0
Opcode ID: 156d2bcc1f2006aa72ab4291bda08d0060771179ca40e7c269086d93ef10f32b
Instruction ID: 616f99b1d2480921733fdd3dd6b09d84342a150b435d483df18d25925cbe1883
Opcode Fuzzy Hash: 156d2bcc1f2006aa72ab4291bda08d0060771179ca40e7c269086d93ef10f32b
Instruction Fuzzy Hash: 3A5135759021086EDB189F6CCC85AFE77ADFF85318F1441A9F819D7202EA318DC19B62

Function 00819AB0 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00814463: GetLastError.KERNEL32(?,?,0080DB66,0082E6D8,0000000C), ref: 00814467
Part of subcall function 00814463: SetLastError.KERNEL32(00000000), ref: 00814509

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00819B04

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 39e770ea929a414eb6558304fef644c3d8d6f82c5ed31352a95d14202e96d208
Instruction ID: b4cbb72ced4082fe44eb3d3c81e64442746a67bf43f5d6525a546c0537b7110b
Opcode Fuzzy Hash: 39e770ea929a414eb6558304fef644c3d8d6f82c5ed31352a95d14202e96d208
Instruction Fuzzy Hash: 4E21B332A09216ABDF289E29FC52EFA73ACFF45724B10407AF902C6141EA34ED808754

Function 00819BD0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00814463: GetLastError.KERNEL32(?,?,0080DB66,0082E6D8,0000000C), ref: 00814467
Part of subcall function 00814463: SetLastError.KERNEL32(00000000), ref: 00814509

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00819C24

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: d91982d79b7cf10c0299d1c3b4891134e4a098a3820e2a02f2d242d939d4ff6a
Instruction ID: 6a1fbaaf8e77c1956a54b0bba5c09fe76ba560de0ce68fb842d7434fd5679583
Opcode Fuzzy Hash: d91982d79b7cf10c0299d1c3b4891134e4a098a3820e2a02f2d242d939d4ff6a
Instruction Fuzzy Hash: D4110232A01206ABDB24AB2CEC56AFA77ECFF04310B10417AF542C7241EB34EE818790

Function 00819763 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00814463: GetLastError.KERNEL32(?,?,0080DB66,0082E6D8,0000000C), ref: 00814467
Part of subcall function 00814463: SetLastError.KERNEL32(00000000), ref: 00814509

EnumSystemLocalesW.KERNEL32(008197FE,00000001,00000000,?,-00000050,?,008195EE,00000000,-00000002,00000000,?,00000055,?), ref: 008197D5

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: c9153d20fdfd056ab385937cf750633e3745e597eebece3698f5d6381c0e170f
Instruction ID: 06bcf0d15a653e3d97705db339e9fd6b8e2756943ee0140101932f60f9a40355
Opcode Fuzzy Hash: c9153d20fdfd056ab385937cf750633e3745e597eebece3698f5d6381c0e170f
Instruction Fuzzy Hash: 3311293B6103059FDB189F39D8E16BABB95FF80718B14482CE986C7780D3717882C740

Function 00819D7D Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00814463: GetLastError.KERNEL32(?,?,0080DB66,0082E6D8,0000000C), ref: 00814467
Part of subcall function 00814463: SetLastError.KERNEL32(00000000), ref: 00814509

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00819A1A,00000000,00000000,?), ref: 00819DA9

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 6e818ff8207b18aa12e3c25a591363ccfdba54105a3d22c693a65eabc1cd5476
Instruction ID: 28c15ac30a91377175e095e08b8025faa46cd67fafea31c5c1230d1292653157
Opcode Fuzzy Hash: 6e818ff8207b18aa12e3c25a591363ccfdba54105a3d22c693a65eabc1cd5476
Instruction Fuzzy Hash: 4601A932A14116BBDB285A29DC55FFA776CFF40758F154429EC86E3180EA74FE81C690

Function 00819A51 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00814463: GetLastError.KERNEL32(?,?,0080DB66,0082E6D8,0000000C), ref: 00814467
Part of subcall function 00814463: SetLastError.KERNEL32(00000000), ref: 00814509

EnumSystemLocalesW.KERNEL32(00819AB0,00000001,?,?,-00000050,?,008195B6,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 00819A9B

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 515a2e68cc2385cabc3cd8d1381752dc497fa0deac957178253f486f5e2f3028
Instruction ID: 91fabb79ac1318636153aeb01de33f3c764b066e2f8aa28f5503ee3002a6672c
Opcode Fuzzy Hash: 515a2e68cc2385cabc3cd8d1381752dc497fa0deac957178253f486f5e2f3028
Instruction Fuzzy Hash: AFF0F6363003145FDB249F39D8D1ABA7BA9FF84768F05842CF986CB680C6B1AC82C650

Function 008154A0 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00810790: EnterCriticalSection.KERNEL32(?,?,008148F0,?,0082EB68,00000008,008147E2,?,?,?), ref: 0081079F

EnumSystemLocalesW.KERNEL32(00815493,00000001,0082EBE8,0000000C,00814DF8,-00000050), ref: 008154D8

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: ff46d691cf7e5f35faf11c9e8a0f9bf8f5aa749ea9b79346149cb5992f7f1b88
Instruction ID: 2d58fc0d86c0a1d37b1c3ed0363ca77dfd28e820cd08b92796ae1be6776437ef
Opcode Fuzzy Hash: ff46d691cf7e5f35faf11c9e8a0f9bf8f5aa749ea9b79346149cb5992f7f1b88
Instruction Fuzzy Hash: 7FF01476A50604DFDB10EF98E842B9D7BF0FB88721F00846AF410DB2E0DA7959818F41

Function 00819B85 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00814463: GetLastError.KERNEL32(?,?,0080DB66,0082E6D8,0000000C), ref: 00814467
Part of subcall function 00814463: SetLastError.KERNEL32(00000000), ref: 00814509

EnumSystemLocalesW.KERNEL32(00819BD0,00000001,?,?,?,00819610,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 00819BBC

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 1c5be38a0b9b161425d3cec119542e8f74b79a4274f0162c3ad660dbdba966f4
Instruction ID: 40d350be40e6b9b42707ce752c895b8f207e17d1c0ef9383798d9b4b50ae0e7e
Opcode Fuzzy Hash: 1c5be38a0b9b161425d3cec119542e8f74b79a4274f0162c3ad660dbdba966f4
Instruction Fuzzy Hash: 37F0E53670421557CB149F39E8657AA7FA8FFC1764F064458FA05CB290C6B59883C790

Function 00814EFC Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,0080F4FC,?,20001004,00000000,00000002,?,?,0080E40E), ref: 00814F30

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: d1eab48df6b76335f9614f1e654bd307f021098555b2117c89c6afb21a59e826
Instruction ID: 545a7c471a7cd35a221f83e755f85395678a945e16dfc6667082cf056af508f5
Opcode Fuzzy Hash: d1eab48df6b76335f9614f1e654bd307f021098555b2117c89c6afb21a59e826
Instruction Fuzzy Hash: AEE01232504618BBCB222F61DC08EDD7F19FF44751F004011FC09952218B718962A691

Function 00807ECE Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00007FEF), ref: 00807ED3

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b1f2e11890eb0ee71864101f67d25627abf418f8bba68e1a341fa5db26203770
Instruction ID: cc1f7066a13c6f5cdf802829796108dc1d0bfc7f8e18122b42b9f2236a1f8807
Opcode Fuzzy Hash: b1f2e11890eb0ee71864101f67d25627abf418f8bba68e1a341fa5db26203770
Instruction Fuzzy Hash:

Function 00815BB5 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00815BB5

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: a8a6808ee61027068aa78fef5c4881fb2c3df1142830017cf6eba06aa2de71cb
Instruction ID: e91d187b0c59de0094f4583c5815101703ec2de08b83b675e5eb28d9c584d6f8
Opcode Fuzzy Hash: a8a6808ee61027068aa78fef5c4881fb2c3df1142830017cf6eba06aa2de71cb
Instruction Fuzzy Hash: 4EA011302002028B8B008F32AA082083AEABA88B80300C028A00AC0220EA3080008F00

Function 0080C692 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f3ad54b9b600f73941885139fed98a453bd4f6cc556452f9498a058dc02e283
Instruction ID: f01d8edf60e06e023145ccdc49a90e4850a9ae5a44d44adf5bdb2c56bc9fe6f3
Opcode Fuzzy Hash: 5f3ad54b9b600f73941885139fed98a453bd4f6cc556452f9498a058dc02e283
Instruction Fuzzy Hash: 93B1CE7190060A8BCBA88F7CCD95ABEBBA1FF05304F24471EE592D76D1D731AA05CB51

Function 00801000 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e373cca899f3f12ab93b34ed3fa006828201fdbd8b18ac220549d98821af210b
Instruction ID: af66ac01a9ff628b320aff593b46f4f5b1e78c865334bfad12c486cd0e3adcd1
Opcode Fuzzy Hash: e373cca899f3f12ab93b34ed3fa006828201fdbd8b18ac220549d98821af210b
Instruction Fuzzy Hash: CE4123316042114FCB9C9F78D8AA427BBD5FB8A760B04866DEA46CF3E1EA20DD00C6D5

Function 00823052 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(0111FE18,0111FE18,00000000,7FFFFFFF,?,0082303D,0111FE18,0111FE18,00000000,0111FE18,?,?,?,?,0111FE18,00000000), ref: 008230F8
__alloca_probe_16.LIBCMT ref: 008231B3
__alloca_probe_16.LIBCMT ref: 00823242
__freea.LIBCMT ref: 0082328D
__freea.LIBCMT ref: 00823293
__freea.LIBCMT ref: 008232C9
__freea.LIBCMT ref: 008232CF
__freea.LIBCMT ref: 008232DF

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 2616ce54212785174897b3af9033855d9cc348525d1304c7ca6a3e0491ef3e09
Instruction ID: f25a729a92367a8455f0e7faabcbdade3091a1b8399fcda08c6746b073058566
Opcode Fuzzy Hash: 2616ce54212785174897b3af9033855d9cc348525d1304c7ca6a3e0491ef3e09
Instruction Fuzzy Hash: 7871E872A04269EBDF209E98AC62BEE77B9FF49310F290055F904E7181D739DEC08761

Function 008084F5 Relevance: 12.2, APIs: 8, Instructions: 177COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 0080853C
__alloca_probe_16.LIBCMT ref: 00808568
MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 008085A7
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008085C4
LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00808603
__alloca_probe_16.LIBCMT ref: 00808620
LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00808662
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00808685

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 326e0fff36d9db7d9d8e6504f241f0d8476dbab1f86db120c4167e17739b1775
Instruction ID: d3f89c3c2d1d620698a3740240df207198c3b44f880ff4f917e4b1602e410894
Opcode Fuzzy Hash: 326e0fff36d9db7d9d8e6504f241f0d8476dbab1f86db120c4167e17739b1775
Instruction Fuzzy Hash: D251CC7260021AEFEB605F64CC49FAB3BA9FF50740F224029F965D62D0DF318D908A90

Function 0081712B Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 008171B1

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 0022c536f264df0fd022f58618f40cd4b78e8be5a313df6415c180dcdaad3927
Instruction ID: 905e176bb1e2ba2b921ac887834d3ab9431ff03678e35766bc51baa649fed947
Opcode Fuzzy Hash: 0022c536f264df0fd022f58618f40cd4b78e8be5a313df6415c180dcdaad3927
Instruction Fuzzy Hash: C6B16672A08355AFDB11CF28CC81BEE7BB9FF59300F244169E915EB382D2749981C7A1

Function 00809470 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 008094A7
___except_validate_context_record.LIBVCRUNTIME ref: 008094AF
_ValidateLocalCookies.LIBCMT ref: 00809538
__IsNonwritableInCurrentImage.LIBCMT ref: 00809563
_ValidateLocalCookies.LIBCMT ref: 008095B8

Strings

csm, xrefs: 0080954D

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 7a04e67423bdfbbd215fd8d4a852a7fdeed0f00cb3c50f054e0a04977aaeb4b6
Instruction ID: d15d2a7484a3e08860ea98b5b6a1aa18f9c23d53691354c6c5773b5114342d87
Opcode Fuzzy Hash: 7a04e67423bdfbbd215fd8d4a852a7fdeed0f00cb3c50f054e0a04977aaeb4b6
Instruction Fuzzy Hash: 7641BD70A00218ABCF51DF69DC41A9EBBB4FF45324F148165E854EB393D731EA52CB91

Function 00808397 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 008083AB
AcquireSRWLockExclusive.KERNEL32(00803C74,?,?,?,?,?,?,00000000,00000000,00000000,0080156C,00000000), ref: 008083CA
AcquireSRWLockExclusive.KERNEL32(00803C74,ios_base::badbit set,?,?,?,?,?,?,?,00000000,00000000,00000000,0080156C,00000000), ref: 008083F8
TryAcquireSRWLockExclusive.KERNEL32(00803C74,ios_base::badbit set,?,?,?,?,?,?,?,00000000,00000000,00000000,0080156C,00000000), ref: 00808453
TryAcquireSRWLockExclusive.KERNEL32(00803C74,ios_base::badbit set,?,?,?,?,?,?,?,00000000,00000000,00000000,0080156C,00000000), ref: 0080846A

Strings

ios_base::badbit set, xrefs: 008083E1

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID: ios_base::badbit set
API String ID: 66001078-3882152299
Opcode ID: 6f2a1b25910c8d384b16206c3aedb9f26c1d7c9a025ce55c94f1e3e7e0f2a200
Instruction ID: cf2a6be52f10f2cde9086f1f7d4f3c5b4dcac283d3f15f662586c1d8ac0aef43
Opcode Fuzzy Hash: 6f2a1b25910c8d384b16206c3aedb9f26c1d7c9a025ce55c94f1e3e7e0f2a200
Instruction Fuzzy Hash: 8E412731900A0BDFCBA0DF64C88196AB7F5FF04314B604A29E5D6D7681DB34E9C5CB59

Function 008087AC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 008087B2
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 008087C0
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 008087D1

Strings

GetSystemTimePreciseAsFileTime, xrefs: 008087BA
GetTempPath2W, xrefs: 008087C6
kernel32.dll, xrefs: 008087AD

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1047828073
Opcode ID: cacba16da9a813de6434ec663d9989ccd600993008d286ae1d57a040e1e5c8b4
Instruction ID: f773b5bd6a32458226ce18c10f4d3317fe07f6d04b5e2ddc87c22c708726e209
Opcode Fuzzy Hash: cacba16da9a813de6434ec663d9989ccd600993008d286ae1d57a040e1e5c8b4
Instruction Fuzzy Hash: D2D0C931589730AB83249F74BC0DCDE3EA4FF897127014512F812D2BA1DB780482EB95

Function 0081D1ED Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584c787ebe410e50c60005a6ea9b728924a986d4d1ce50f0ff0e74a5ef844826
Instruction ID: 70762931f3a2d4cdf0944e47dfd3e67aaaf360a104da1929d3f37364c301657a
Opcode Fuzzy Hash: 584c787ebe410e50c60005a6ea9b728924a986d4d1ce50f0ff0e74a5ef844826
Instruction Fuzzy Hash: 4AB10F70A04349AFDF119FADD840BEE7BBAFF45318F148158E915DB282C770A981CB65

Function 00812FAC Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00812FA3,00809247,00808033), ref: 00812FBA
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00812FC8
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00812FE1
SetLastError.KERNEL32(00000000,00812FA3,00809247,00808033), ref: 00813033

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 46ef7e25be3cf825f0c0d8e37838f2027264bd9a3eec10ab060c73b7916e66e3
Instruction ID: e64a75362baf80e680d4bb857a067d2a1281f9beb4899dc27f516a859214d7f0
Opcode Fuzzy Hash: 46ef7e25be3cf825f0c0d8e37838f2027264bd9a3eec10ab060c73b7916e66e3
Instruction Fuzzy Hash: 3801D8321097216EA635267D7C86AD72EACFF057B5B60433AFA14D40F2EF514CD2D641

Function 00813874 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00813993
CallUnexpected.LIBVCRUNTIME ref: 00813C0C

Strings

csm, xrefs: 008139CA
csm, xrefs: 0081391E
csm, xrefs: 008138B1

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: cd61703113ca7b6779762f67574c6cbe99f0d927dc76fbc7db831464b8ea357a
Instruction ID: ff2133202f883c445648e05aae77f05e61466013245026b9ad72e782ee73f5cf
Opcode Fuzzy Hash: cd61703113ca7b6779762f67574c6cbe99f0d927dc76fbc7db831464b8ea357a
Instruction Fuzzy Hash: 61B14771800209EFCF25DFA8C8819EEBBB9FF14310F14455AF815AB216D775DAA1CB92

Function 00802EF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00802F0C
std::_Lockit::_Lockit.LIBCPMT ref: 00802F2A
std::_Lockit::~_Lockit.LIBCPMT ref: 00802F4C
std::_Lockit::~_Lockit.LIBCPMT ref: 00802FBA

Strings

ios_base::badbit set, xrefs: 00802EF2

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: ios_base::badbit set
API String ID: 593203224-3882152299
Opcode ID: ff90172630996ccc59d8836fd26cf7e68906c4513c949ad7334013cf4468d8ef
Instruction ID: 6e13393fcbb05fccfe9675d928018d0da15c5590c3e9fb5c7341019b33f1fa71
Opcode Fuzzy Hash: ff90172630996ccc59d8836fd26cf7e68906c4513c949ad7334013cf4468d8ef
Instruction Fuzzy Hash: 042168B1A042059FC7A0EF58DC59A1AB7A4FB94760F05895DF549CB2A2DB71AC40CF82

Function 00804BE3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00804BEA
std::_Lockit::_Lockit.LIBCPMT ref: 00804BF7
std::_Lockit::_Lockit.LIBCPMT ref: 00804C61
std::_Lockit::~_Lockit.LIBCPMT ref: 00804C7B

Part of subcall function 0080433F: _Yarn.LIBCPMT ref: 0080435F
Part of subcall function 0080433F: _Yarn.LIBCPMT ref: 00804383

Strings

bad locale name, xrefs: 00804C45

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Yarn$H_prolog3Lockit::~_
String ID: bad locale name
API String ID: 3084819986-1405518554
Opcode ID: 4655e1a41db3b3caaae2fafd704072b7f1d73bab1b2bf65f3bb5d7d235f580b6
Instruction ID: f98c7febb122af363c5153114b0fe452716bfe762aa0b2cbd994dfe946946f14
Opcode Fuzzy Hash: 4655e1a41db3b3caaae2fafd704072b7f1d73bab1b2bf65f3bb5d7d235f580b6
Instruction Fuzzy Hash: D71190B1941704DFC760DF6AD98168ABBE0FF28300F50592EE1CAC3691DB70AA84CB56

Function 0080DC95 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,B7B1FB39,?,?,00000000,008246BA,000000FF,?,0080DD56,00000002,?,0080DDF2,00810A45), ref: 0080DCCA
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0080DCDC
FreeLibrary.KERNEL32(00000000,?,?,00000000,008246BA,000000FF,?,0080DD56,00000002,?,0080DDF2,00810A45), ref: 0080DCFE

Strings

CorExitProcess, xrefs: 0080DCD4
mscoree.dll, xrefs: 0080DCC3

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 09acf3b4237b20551054fe898d31722471a2dc520a1a644f58dbe7651a6fd1fd
Instruction ID: 4e1c7fab9b366aca87bcaa86a0a88d9e108aa1f56df1ec024af4241e2dc85532
Opcode Fuzzy Hash: 09acf3b4237b20551054fe898d31722471a2dc520a1a644f58dbe7651a6fd1fd
Instruction Fuzzy Hash: 28016731554765AFDB219F90DC09FAEBBB8FB44B15F004525F812E27D0DB789941CA90

Function 008159C6 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00815A4B
__alloca_probe_16.LIBCMT ref: 00815B14
__freea.LIBCMT ref: 00815B7B

Part of subcall function 00814211: RtlAllocateHeap.NTDLL(00000000,008161EA,?,?,008161EA,00000220,?,00000000,?), ref: 00814243

__freea.LIBCMT ref: 00815B8E
__freea.LIBCMT ref: 00815B9B

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: c16dbbb5eeaac6816348d9f014d6504d3bd4fd3050f6c3b7d141d98d1e483bc1
Instruction ID: 325771f2027c545810ba4570405577fda4d0c555fce504351fcdc25e8d21216a
Opcode Fuzzy Hash: c16dbbb5eeaac6816348d9f014d6504d3bd4fd3050f6c3b7d141d98d1e483bc1
Instruction Fuzzy Hash: AA5180B260464AEFEB209FA4DC81EFB7BADFF84720B254529FD04D6151EB70DC908661

Function 00805E93 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00805E9A
std::_Lockit::_Lockit.LIBCPMT ref: 00805EA4
int.LIBCPMT ref: 00805EBB

Part of subcall function 00804C50: std::_Lockit::_Lockit.LIBCPMT ref: 00804C61
Part of subcall function 00804C50: std::_Lockit::~_Lockit.LIBCPMT ref: 00804C7B

codecvt.LIBCPMT ref: 00805EDE
std::_Lockit::~_Lockit.LIBCPMT ref: 00805F15

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
String ID:
API String ID: 3716348337-0
Opcode ID: 01a555ad9e985830ec0eea8d1a73d925f21f572d71363ae4231ae009de5b46f1
Instruction ID: 01ca06a96fcbf7233bad72d146904118bc09f798afb0fc57eef180fabcab7aad
Opcode Fuzzy Hash: 01a555ad9e985830ec0eea8d1a73d925f21f572d71363ae4231ae009de5b46f1
Instruction Fuzzy Hash: 7E01C079A406198FCB41EBA8DC256AE77A0FF88320F244409F511E72D1CF749E05CFA2

Function 00804565 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0080456C
std::_Lockit::_Lockit.LIBCPMT ref: 00804577
std::_Lockit::~_Lockit.LIBCPMT ref: 008045E5

Part of subcall function 00804439: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00804451

std::locale::_Setgloballocale.LIBCPMT ref: 00804592
_Yarn.LIBCPMT ref: 008045A8

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 3c95b8880423f36e762649e98d89994122e862aece8e3e1af1fc17b193e8a0a7
Instruction ID: c31def9191c83055f35b610e258d0a001d1b9e53c7ae2eaa403263085a2fe6c6
Opcode Fuzzy Hash: 3c95b8880423f36e762649e98d89994122e862aece8e3e1af1fc17b193e8a0a7
Instruction Fuzzy Hash: 6E01BCB5A806209FC746AF64EC56A7C7B61FF84740B145008EA02973C1CF38AE42CF82

Function 0081EE61 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,0081EEFD,00000000,?,008312F0,?,?,?,0081EE34,00000004,InitializeCriticalSectionEx,00828254,0082825C), ref: 0081EE6E
GetLastError.KERNEL32(?,0081EEFD,00000000,?,008312F0,?,?,?,0081EE34,00000004,InitializeCriticalSectionEx,00828254,0082825C,00000000,?,00813EBC), ref: 0081EE78
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0081EEA0

Strings

api-ms-, xrefs: 0081EE85

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: d7cea6bfec8b2ddfa2b34518a596ee8c6a920cca978791d57a45b0237dfa429d
Instruction ID: 1c0fb7d54d5bfbb4228986548a8e9011e827bde62907253575000223e599984a
Opcode Fuzzy Hash: d7cea6bfec8b2ddfa2b34518a596ee8c6a920cca978791d57a45b0237dfa429d
Instruction Fuzzy Hash: BFE04F32284309FBEB301B61EC0AF993F58FF50B51F208020FE0DE84E1DB71A8918648

Function 0081C20A Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(B7B1FB39,00000000,00000000,?), ref: 0081C26D

Part of subcall function 00814321: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00815B71,?,00000000,-00000008), ref: 00814382

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0081C4BF
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0081C505
GetLastError.KERNEL32 ref: 0081C5A8

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: c8cc76c1e2603b0bb22184d6a0879fbd7ade3a9557d04d2d05c98bd461bc1952
Instruction ID: 951166383317dbc404a2d7316a821343a4b1c195dd0d2ba4efe3dcb21b940826
Opcode Fuzzy Hash: c8cc76c1e2603b0bb22184d6a0879fbd7ade3a9557d04d2d05c98bd461bc1952
Instruction Fuzzy Hash: 15D17BB5D042589FCF15CFE8D884AEDBBBAFF48314F24416AE426EB351D630A981CB50

Function 0081359B Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00813662
___AdjustPointer.LIBCMT ref: 00813685
___AdjustPointer.LIBCMT ref: 00813721

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 26a6fcaef3089761c204a522c4df9ed15b619ad6f23284cf41af2cdb9183ded2
Instruction ID: 5f3ef69e9d72e3dffa10b7a54f4c251e4468fa24024fb7d69722395b0ae651cd
Opcode Fuzzy Hash: 26a6fcaef3089761c204a522c4df9ed15b619ad6f23284cf41af2cdb9183ded2
Instruction Fuzzy Hash: 4451D1B1604606BFEB298F14D841BEAB7A8FF60710F244429E846C77A1D731AEC0EB51

Function 00803510 Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0080352C
std::_Lockit::_Lockit.LIBCPMT ref: 0080354A
std::_Lockit::~_Lockit.LIBCPMT ref: 0080356C
std::_Lockit::~_Lockit.LIBCPMT ref: 008035DA

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: 14f51b0d1fb427959f0acd91e011b163299c12780e55c911dbbf9adaf3b7e248
Instruction ID: 4af53bf78d3a5e3de2d7d6433a150459f346c608ea881e0e58457e46a2a22101
Opcode Fuzzy Hash: 14f51b0d1fb427959f0acd91e011b163299c12780e55c911dbbf9adaf3b7e248
Instruction Fuzzy Hash: 1621ADB1A043009FC7A0EF58DC55A2A77A4FF94320F01895DF5898B2A2DB31AE40CF82

Function 0081A036 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00814321: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00815B71,?,00000000,-00000008), ref: 00814382

GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 0081A09A
__dosmaperr.LIBCMT ref: 0081A0A1
GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 0081A0DB
__dosmaperr.LIBCMT ref: 0081A0E2

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 91f44fccd0138f776546a91858b24402abf76ab1053c72600f262199019b4596
Instruction ID: b33622e2d161aa51447e1373e541c9fcfd86cde3138135978b86af682406c419
Opcode Fuzzy Hash: 91f44fccd0138f776546a91858b24402abf76ab1053c72600f262199019b4596
Instruction Fuzzy Hash: 3E21A131601A15EFDB24AF69CC408ABB7ADFF083647108429F925D7551DB31ECC08B93

Function 0080B2D2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b9010cbf8cfdb6a7faadf3ae0adc838100bd67a170d0c4680dc0a894bc6f047
Instruction ID: df97901d4b3b74d0513deb88589d2411555f1a5ec1b0bfae94fa76554efe352d
Opcode Fuzzy Hash: 6b9010cbf8cfdb6a7faadf3ae0adc838100bd67a170d0c4680dc0a894bc6f047
Instruction Fuzzy Hash: E8219331600609AFDBA0AF758C51D6B77E9FF403687228525F929D76D1E730EC508792

Function 0081B42C Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0081B434

Part of subcall function 00814321: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00815B71,?,00000000,-00000008), ref: 00814382

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0081B46C
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0081B48C

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: dcdb7704dd03c8f22b67ca983149e45d366feff4559bfe008ddec2abe7e84c8d
Instruction ID: 8bf5a73401250a7838c59dcda10812cba7db3127a10c3a5b220abe89ce9e4677
Opcode Fuzzy Hash: dcdb7704dd03c8f22b67ca983149e45d366feff4559bfe008ddec2abe7e84c8d
Instruction Fuzzy Hash: 6E1100F55016197EAB2127BA9D8ECFF3E9CFE993987108025F905D2102FB20DDC182B6

Function 00807155 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0080715C
std::_Lockit::_Lockit.LIBCPMT ref: 00807166
int.LIBCPMT ref: 0080717D

Part of subcall function 00804C50: std::_Lockit::_Lockit.LIBCPMT ref: 00804C61
Part of subcall function 00804C50: std::_Lockit::~_Lockit.LIBCPMT ref: 00804C7B

std::_Lockit::~_Lockit.LIBCPMT ref: 008071D7

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID:
API String ID: 1383202999-0
Opcode ID: bc28b081141cd41f9ace4aa01e6cfa4594905830034f1acbcf0a6b77fd24dba4
Instruction ID: a6956f5fb7824f2506614039ccf33b3a3f43da2eee18006665a17005c5826a3f
Opcode Fuzzy Hash: bc28b081141cd41f9ace4aa01e6cfa4594905830034f1acbcf0a6b77fd24dba4
Instruction Fuzzy Hash: 3B11CE71940215CBCB45EBA8DC156AD7760FF84320F254409E921EB2D1CF30AE45CB82

Function 00823310 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,008227FF,00000000,00000001,?,?,?,0081C5FC,?,00000000,00000000), ref: 00823327
GetLastError.KERNEL32(?,008227FF,00000000,00000001,?,?,?,0081C5FC,?,00000000,00000000,?,?,?,0081BF42,?), ref: 00823333

Part of subcall function 00823384: CloseHandle.KERNEL32(FFFFFFFE,00823343,?,008227FF,00000000,00000001,?,?,?,0081C5FC,?,00000000,00000000,?,?), ref: 00823394

___initconout.LIBCMT ref: 00823343

Part of subcall function 00823365: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00823301,008227EC,?,?,0081C5FC,?,00000000,00000000,?), ref: 00823378

WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,008227FF,00000000,00000001,?,?,?,0081C5FC,?,00000000,00000000,?), ref: 00823358

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 880825db6fd8b3f92b84b18b6ad878f0415bd782a3f0a9802d71271639e8f259
Instruction ID: c2bfe2d481d8cf70a3d64a1469fd970023da41de1686c7183c6857ba37a7601d
Opcode Fuzzy Hash: 880825db6fd8b3f92b84b18b6ad878f0415bd782a3f0a9802d71271639e8f259
Instruction Fuzzy Hash: 62F01C37504229BFCF225F99FC1DE8A7F26FB483A0F008010FA1995630CA728A609F91

Function 00818C16 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00814463: GetLastError.KERNEL32(?,?,0080DB66,0082E6D8,0000000C), ref: 00814467
Part of subcall function 00814463: SetLastError.KERNEL32(00000000), ref: 00814509

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,0080E2A6,?,?,?,00000055,?,-00000050,?,?,?), ref: 00818CD5
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,0080E2A6,?,?,?,00000055,?,-00000050,?,?), ref: 00818D0C

Strings

utf8, xrefs: 00818DDE

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: utf8
API String ID: 943130320-905460609
Opcode ID: 933424d3852fd0e9fdba235451422398d3d9b6c76eb24ae824093111c7f714cf
Instruction ID: fdff2c4d5d547fe562a017bdefd716f3b23d7bf042b033430419d349289aa333
Opcode Fuzzy Hash: 933424d3852fd0e9fdba235451422398d3d9b6c76eb24ae824093111c7f714cf
Instruction Fuzzy Hash: 3751D071600315EAEB24AB74DC87BEA73ACFF54740F140829F955D7581EE70E9C086A6

Function 00813C98 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00813B99,?,?,00000000,00000000,00000000,?), ref: 00813CBD

Strings

MOC, xrefs: 00813CCF
RCC, xrefs: 00813CD7

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 6a8b76beb459a9e7fa73443b92f1cd214caf174058b77ba662782db184e2d237
Instruction ID: afbad9b24d3c3790b18247db941919b3f31b39d6e560e3df12b5b6d0f9662997
Opcode Fuzzy Hash: 6a8b76beb459a9e7fa73443b92f1cd214caf174058b77ba662782db184e2d237
Instruction Fuzzy Hash: 88416871900209EFCF15DF98DD81AEEBBB9FF48304F188099F904A7261D735AA90DB51

Function 00813504 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0081377B

Strings

csm, xrefs: 0081379D
csm, xrefs: 0081380E

Memory Dump Source

Source File: 00000000.00000002.1671039304.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.1671023261.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671088057.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671106448.000000000082F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671128548.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671144903.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1671168517.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_Script.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 35f72ac7817a94fd7310a3718d1cc6dc752f5554e6d3a8b3f6632ed889449fbf
Instruction ID: 7df859d483f8439bb696ae687b61cce62184c40fc11870606e7abab2d33225c6
Opcode Fuzzy Hash: 35f72ac7817a94fd7310a3718d1cc6dc752f5554e6d3a8b3f6632ed889449fbf
Instruction Fuzzy Hash: 153194B2800218ABCF265F55D8449EA7B6DFF05715B18457AFC54CA161C332DEE1DB81

Analysis Process: Script.exePID: 7492, Parent PID: 7424COMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.5%
Total number of Nodes:	57
Total number of Limit Nodes:	4

Executed Functions

Function 0043DA10 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00440D9D,?,00000018,?,?,00000018,?,?,?), ref: 0043DA3E

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0040AF23 Relevance: .2, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65cbdfa24d642580817c22312a4d4416be34adb8d03870b701ba4631b34f5032
Instruction ID: eed30cc65e9a7acdb6177f5dd8ded5a2b05ec64c6f0e7533b6fe5fd470de70e5
Opcode Fuzzy Hash: 65cbdfa24d642580817c22312a4d4416be34adb8d03870b701ba4631b34f5032
Instruction Fuzzy Hash: BE51F039254B01CFCB298F64DC95B1ABBB2FF4A311F04847DE55687A62C738E816CB15

Function 0043D4E1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a2e344c5d1edb06f7df8b2f1768e3dea44206ea03c0c1cb075caf44c4f91fa1
Instruction ID: dc484de900702ea7fd58ce72979cff842d7c41974bd76ae8d50f3999e681b5d9
Opcode Fuzzy Hash: 7a2e344c5d1edb06f7df8b2f1768e3dea44206ea03c0c1cb075caf44c4f91fa1
Instruction Fuzzy Hash: AA01DE75A80B108BD7298F24DD6136A77E0EB07304F14806EC592A7780DA7AFD008F99

Function 004085B0 Relevance: 7.6, APIs: 5, Instructions: 87
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004085D1
GetCurrentThreadId.KERNEL32 ref: 004085D7
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004085E8
GetForegroundWindow.USER32 ref: 0040869C
ExitProcess.KERNEL32 ref: 004086DB

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 749443de202a5043038cf60a811374f411e20320b39cfc084a8cc678c959233e
Instruction ID: 509b8593f85bca22239e70e965a689bc814e36a94043752a13a9102ecda549f4
Opcode Fuzzy Hash: 749443de202a5043038cf60a811374f411e20320b39cfc084a8cc678c959233e
Instruction Fuzzy Hash: BF2168B1E002005BD7147F319D0A72A76959F86705F0A863EECD5BB3E7EE3D8811865E

Function 00436A38 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 00436A65

Strings

u, xrefs: 00436A73

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: DefaultLanguageUser
String ID: u
API String ID: 95929093-4067256894
Opcode ID: 3484c23c7cdde163382f8b5677bb3c5e64803b511a88fc23218b33cef870498d
Instruction ID: f3c22d90c568ecaed0f3cc6f16dafd322a7d18ae38fc015f3be8ab71a63a4f26
Opcode Fuzzy Hash: 3484c23c7cdde163382f8b5677bb3c5e64803b511a88fc23218b33cef870498d
Instruction Fuzzy Hash: 29010434C082929FCF119F78C9403EE7FA16F1B310F1986A9C4D567386D7398A058B96

Function 0043E9A1 Relevance: 3.0, APIs: 2, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043E9A1
GetForegroundWindow.USER32 ref: 0043E9B3

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 0dea34fee18d2d4d34ccc8698138f7830839b94345d1193dcb1cea91282bf9ce
Instruction ID: 1f1a92c4ed7c3cabed4fabd3d678f137bf463a9ca5e289bc5fa2f09bb69a997d
Opcode Fuzzy Hash: 0dea34fee18d2d4d34ccc8698138f7830839b94345d1193dcb1cea91282bf9ce
Instruction Fuzzy Hash: B7D012B9C000068BDF44DFA0FC8D44E7769BE46619F045035E40343122E93495068B4D

Function 0043D990 Relevance: 1.5, APIs: 1, Instructions: 47
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,?,0040AC99,?,?), ref: 0043D9C2

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cdead9b86d08e6ac262e8fe0ed01f7705be6a6c4e118aac477efc9f7b9b85593
Instruction ID: b8b631638b18798679597f3341c455e23d05a83346a63bcdeeebd9bf56da5e38
Opcode Fuzzy Hash: cdead9b86d08e6ac262e8fe0ed01f7705be6a6c4e118aac477efc9f7b9b85593
Instruction Fuzzy Hash: EFF0277A8582A0FBC6116F25BC02A9B3664EF8F315F01147BF401A6121DB3ADC06D6DF

Function 0043BD40 Relevance: 1.5, APIs: 1, Instructions: 15
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,00000000,004215EE), ref: 0043BD60

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 8b36816211867e107b1c33e8a36d1a93761f9aace37de06867b51b3c08574d90
Instruction ID: f90848bae3256b06cf5094926935a10db3a74c04a44cfe7e493f6f0e12b6a334
Opcode Fuzzy Hash: 8b36816211867e107b1c33e8a36d1a93761f9aace37de06867b51b3c08574d90
Instruction Fuzzy Hash: 85D0C931465622EBC6146F18BC15BC73A54DF4A361F0708A2F4006A475C675DC91DAE8

Function 0043BD20 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,00408638,?,00408638), ref: 0043BD30

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cf65f95657680e7bc98513e43210a7ecff9104acca7fedf48e906d763921924d
Instruction ID: 2c7a29268eac836babc22c216ba9330a039660881ad4ae188c8b4a1fbc13fc40
Opcode Fuzzy Hash: cf65f95657680e7bc98513e43210a7ecff9104acca7fedf48e906d763921924d
Instruction Fuzzy Hash: 40C09B31455321EBC6106B15FC05FC77F54DF49751F1140A6B00477072C771AC41C6D8

Non-executed Functions

Function 004387D0 Relevance: 30.5, APIs: 10, Strings: 7, Instructions: 776memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0044368C,00000000,00000001,0044367C), ref: 00438A5F
SysAllocString.OLEAUT32(AF71AD7E), ref: 00438AD5
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00438B14
SysAllocString.OLEAUT32(5F8F5D8B), ref: 00438BB5
SysAllocString.OLEAUT32(4F0B4D1F), ref: 00438C4B
VariantInit.OLEAUT32(F2FDFCE7), ref: 00438CBE
SysFreeString.OLEAUT32(?), ref: 00438FAC

Strings

Rac, xrefs: 00438C05
&e?g, xrefs: 00438C0D
'y){, xrefs: 00438C15
$%&', xrefs: 00439081
xY`[, xrefs: 00438BD5
|}, xrefs: 00438C1D
UvW, xrefs: 00438BED

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: String$Alloc$BlanketCreateFreeInitInstanceProxyVariant
String ID: UvW$$%&'$&e?g$'y){$Rac$xY`[$|}
API String ID: 2895375541-3935235898
Opcode ID: cedc0d122eda84c37e771d2f76dcedd7a404c4fffcf9a77079a05c5f669563b7
Instruction ID: 3c98ca3655e8fbad89b897cedc23f9ec929c21c5d575d6668501c9692a1c22de
Opcode Fuzzy Hash: cedc0d122eda84c37e771d2f76dcedd7a404c4fffcf9a77079a05c5f669563b7
Instruction Fuzzy Hash: 4D32F072A083408BD314CF64C8817ABFBE2EBD9714F18592EF5949B390DB78D905CB96

Function 00433500 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 121clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00433514
GetClipboardData.USER32 ref: 0043352F
GlobalLock.KERNEL32 ref: 00433548
GetWindowLongW.USER32 ref: 004335AE
GlobalUnlock.KERNEL32 ref: 00433681
CloseClipboard.USER32 ref: 0043368A

Strings

q, xrefs: 004335C9
j, xrefs: 004335E7
Q, xrefs: 004335EC
], xrefs: 004335BF
e, xrefs: 004335DD
x, xrefs: 004335D3

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: Q$]$e$j$q$x
API String ID: 2832541153-692368135
Opcode ID: cd7ee1b0d44008d18f148219d93ad27284650de1e218d48dcbd18ce31904f4f5
Instruction ID: 6f1dbd0e63c0454490a30a8cba9f540b8e981e08c188719af7d206ff943662a7
Opcode Fuzzy Hash: cd7ee1b0d44008d18f148219d93ad27284650de1e218d48dcbd18ce31904f4f5
Instruction Fuzzy Hash: 9B41927150C7418ED310AF78988935FBFE0AB9A315F044A3EE4D5873D2D6788649C75B

Function 00426FD0 Relevance: 16.1, APIs: 2, Strings: 7, Instructions: 306COMMON

Download Yara Rule

Strings

KJIH, xrefs: 00427214
1G#A, xrefs: 0042727E
3SQm, xrefs: 004272A6
rqB, xrefs: 00427165
xlc=, xrefs: 00427190
#C(], xrefs: 00427286
o;i, xrefs: 004272AE

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: o;i$#C(]$1G#A$3SQm$KJIH$rqB$xlc=
API String ID: 0-4225912290
Opcode ID: b291a350f7d21ee5a1b80931a86ef7cb954b4aa59bf97fddcf800b527b295b08
Instruction ID: 99384cb80079416eac910717a9e1d0dd8795ebf962f0defd3915704c1b902f09
Opcode Fuzzy Hash: b291a350f7d21ee5a1b80931a86ef7cb954b4aa59bf97fddcf800b527b295b08
Instruction Fuzzy Hash: 06914876A0C3248BC320DF64E88165FB7E1EBC9704F59493EE98997341DB74AD058BCA

Function 004230D3 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 470COMMON

Download Yara Rule

Strings

57B, xrefs: 004230DF
>\:B, xrefs: 00423117
IF, xrefs: 00423557
HN, xrefs: 00423661
,@ F, xrefs: 0042311F
DJ, xrefs: 00423659
,D J, xrefs: 00423127

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: DJ$,@ F$,D J$57B$>\:B$IF$HN
API String ID: 0-546559132
Opcode ID: 53c1fe6a3d8edab316d02aaf9cb82a2134dd9dc0253ca9ecf7a21cf2c49870eb
Instruction ID: 573b38de4df0c584551da9470d46ba7f63cc1349f9138d30f378e2aa21cb097c
Opcode Fuzzy Hash: 53c1fe6a3d8edab316d02aaf9cb82a2134dd9dc0253ca9ecf7a21cf2c49870eb
Instruction Fuzzy Hash: 88E1D9B560D3418FD310CF68E89126BBBE1FBC5754F14892DE9818B361E778890ACB4B

Function 00419190 Relevance: 11.7, APIs: 2, Strings: 4, Instructions: 1209COMMON

Download Yara Rule

APIs

Part of subcall function 0043DA10: LdrInitializeThunk.NTDLL(00440D9D,?,00000018,?,?,00000018,?,?,?), ref: 0043DA3E

FreeLibrary.KERNEL32(?), ref: 00419706
FreeLibrary.KERNEL32(?), ref: 0041976B

Strings

X{, xrefs: 004195AE
HS, xrefs: 004195B6
056w, xrefs: 004198C4
wB, xrefs: 004195C6

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: 056w$HS$X{$wB
API String ID: 764372645-2637307891
Opcode ID: 8cda8737b51c2a5b10dbecfc56f8fcb0076f712215e9232e299a7d4ae60a7aa1
Instruction ID: 5228fd0e467c720768e27c90b66e3c9c54d982958b1791ede40bd78fdaf92bff
Opcode Fuzzy Hash: 8cda8737b51c2a5b10dbecfc56f8fcb0076f712215e9232e299a7d4ae60a7aa1
Instruction Fuzzy Hash: B0821B746483406BE724CF24D8A076BBBE1EBD6714F28892DE0D5473A1D379DC82CB5A

Function 00418241 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 419COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 00418272

Strings

o, xrefs: 0041898B
<9, xrefs: 0041835B
L, xrefs: 0041836B

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: <9$L$o
API String ID: 237503144-3122339205
Opcode ID: e17082548c54c39f30985331f76dbc5a7f869a826d3146b3f11a261b34a1bf56
Instruction ID: 38d06cfc946e2d634f33bc898b8b3081b8a665a97a1976fa3bc9cb3ab81d6238
Opcode Fuzzy Hash: e17082548c54c39f30985331f76dbc5a7f869a826d3146b3f11a261b34a1bf56
Instruction Fuzzy Hash: F6E14B756083528BD320CF29D8D07ABB7E1EF99324F188A3DE4C487391EB789945CB56

Function 00417EEE Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 287COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,59195F3A,00000000,00000000,?), ref: 004181F4

Strings

M+O, xrefs: 00417F5E
qWs, xrefs: 00417F66
7imJ, xrefs: 00417F7B
}Y*[, xrefs: 00417FC2
!C-M, xrefs: 004180FA

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: M+O$!C-M$7imJ$}Y*[$qWs
API String ID: 237503144-2509796657
Opcode ID: 47ed97315e110507114ef7b549b792d0a16ca60f33f0bbd43ba62459c0688936
Instruction ID: 249fc3654da106cc027156d5fad6694f65c71858bdaf82a4f9d6bcb215be2f5f
Opcode Fuzzy Hash: 47ed97315e110507114ef7b549b792d0a16ca60f33f0bbd43ba62459c0688936
Instruction Fuzzy Hash: 3F9116716183128BC324CF14C4916BBB7F1EFC9764F199A1EE5CA5B361E7389881C74A

Function 00801730 Relevance: 10.7, APIs: 7, Instructions: 200fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00801180: _strlen.LIBCMT ref: 008011EA

GetFileSize.KERNEL32(00000000,00000000), ref: 008017A1
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 008017C7
CloseHandle.KERNEL32(00000000), ref: 008017D6
_strlen.LIBCMT ref: 00801834
CloseHandle.KERNEL32(00000000), ref: 00801946
GetModuleHandleA.KERNEL32(00000000), ref: 008019A7
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 008019B6

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: FileHandle$CloseModule_strlen$NameReadSize
String ID:
API String ID: 3533648253-0
Opcode ID: c0d6112bb372fa023dea3fbe1e9ebbee43e9c8b2ea7d35bf1872984e1d357467
Instruction ID: aa2d2600634c3ae861eb9d29c961626da3c12fb9e2bbb305c6fc399f5f5e420b
Opcode Fuzzy Hash: c0d6112bb372fa023dea3fbe1e9ebbee43e9c8b2ea7d35bf1872984e1d357467
Instruction Fuzzy Hash: 4C61F6B29043019FDB50EF28CC89B2ABBE4FF99324F458928F489D7291E734D9448793

Function 0042856C Relevance: 9.3, Strings: 7, Instructions: 519COMMON

Download Yara Rule

Strings

#z*>, xrefs: 004287D5
hi, xrefs: 004286FE
KJIH, xrefs: 004289B5
xlc=, xrefs: 00428938
M`af, xrefs: 004288BE, 004288CB
TU, xrefs: 004287CE
M`af, xrefs: 004287DA, 00428846

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: #z*>$KJIH$M`af$M`af$TU$hi$xlc=
API String ID: 0-3444116175
Opcode ID: c0baef34677e044ab247d2e5aac73f80a096439048c6999c4bcee056cd6db3af
Instruction ID: 7e836b9766b242f3fc3dd51180be0f2cab443d7991a9e66097dbc5a85011b6e9
Opcode Fuzzy Hash: c0baef34677e044ab247d2e5aac73f80a096439048c6999c4bcee056cd6db3af
Instruction Fuzzy Hash: 0BD14775609321CBC3149F18D85166FB3F1EF86314F444A2DF9D69B3A0EB789905CB8A

Function 00428630 Relevance: 9.3, Strings: 7, Instructions: 514COMMON

Download Yara Rule

Strings

#z*>, xrefs: 004287D5
hi, xrefs: 004286FE
KJIH, xrefs: 004289B5
xlc=, xrefs: 00428938
M`af, xrefs: 004288BE, 004288CB
TU, xrefs: 004287CE
M`af, xrefs: 004287DA, 00428846

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: #z*>$KJIH$M`af$M`af$TU$hi$xlc=
API String ID: 0-3444116175
Opcode ID: 8636f7f2d492a3864e0f02ebe2bf5754de26b4778162c7e19092fcca7101ddf1
Instruction ID: f976bc588ec640565c7012468651d5ffc8b69fa3d08ac8f64f271550ea2c12cc
Opcode Fuzzy Hash: 8636f7f2d492a3864e0f02ebe2bf5754de26b4778162c7e19092fcca7101ddf1
Instruction Fuzzy Hash: ADD13675609321CBC3149F18D85266FB3F1EF86314F444A2DF9D69B3A0EB789905CB8A

Function 004257AC Relevance: 9.3, Strings: 7, Instructions: 503COMMON

Download Yara Rule

Strings

xlc=, xrefs: 00425D67
xlc=, xrefs: 00425C9A
KJIH, xrefs: 00425A65
x~, xrefs: 0042582C
xlc=, xrefs: 004259E5
tz, xrefs: 00425824
KJIH, xrefs: 00425D12

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: KJIH$KJIH$xlc=$xlc=$xlc=$tz$x~
API String ID: 0-1340891752
Opcode ID: b28c78b09fa9fa9f10d3d24584371599d8ab19276a3a060c2099cb0d7731b876
Instruction ID: 4b9b57266fa6f88c6c86b47bd8eb3fb309f79ef555365d41f88ab1d7a07e1ec3
Opcode Fuzzy Hash: b28c78b09fa9fa9f10d3d24584371599d8ab19276a3a060c2099cb0d7731b876
Instruction Fuzzy Hash: 77F16579A0C350DFD3248F55E88172BBBE1FBCA314F95482DEA859B351D7749802CB8A

Function 00426430 Relevance: 9.1, Strings: 7, Instructions: 396COMMON

Download Yara Rule

Strings

BC, xrefs: 00426EE5
no, xrefs: 00426DE7
WLTO, xrefs: 004270D9
xlc=, xrefs: 00427190
SDTB, xrefs: 004270A2
DTS^, xrefs: 004270C3
sNDW, xrefs: 004270F5

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: BC$DTS^$SDTB$WLTO$no$sNDW$xlc=
API String ID: 0-4261215005
Opcode ID: aa01ce96a05b156c2b1f41cb97ec9e7dd4cdd193ddbb93280ca7d29986eee33e
Instruction ID: bc51c2f3923f1d1749b79aa7f72e467a3002caf565e53d3967ace05a6b2d116c
Opcode Fuzzy Hash: aa01ce96a05b156c2b1f41cb97ec9e7dd4cdd193ddbb93280ca7d29986eee33e
Instruction Fuzzy Hash: F3D1F0B5A0C3908FD7309F24E8917ABB7F1EB96304F45482DE5C99B252DB748905CB8B

Function 00429070 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 186COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 00429149

Strings

~Pf?, xrefs: 004291BD
zPf?, xrefs: 00429157

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: zPf?$~Pf?
API String ID: 237503144-2637493059
Opcode ID: 26d119dec0a38fc1d7c433e7bb48d8e841ee7a0981e4bddc7203521b33e83297
Instruction ID: 198dd5e36b7fe1fa964ce911b4fb16a36b701d1aa9f0cceef3b71a0ea0f726ca
Opcode Fuzzy Hash: 26d119dec0a38fc1d7c433e7bb48d8e841ee7a0981e4bddc7203521b33e83297
Instruction Fuzzy Hash: EB514675648305EFE3108F25AC81B6BB7A8FBC2704F50193DFA509B291DBB4D81ACB56

Function 00819C77 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,00000000,?,?,?,00819648,?,00000000), ref: 00819D10
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,?,00819648,?,00000000), ref: 00819D39
GetACP.KERNEL32(?,?,00819648,?,00000000), ref: 00819D4E

Strings

OCP, xrefs: 00819CCB
ACP, xrefs: 00819C95

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: f760a4477d8e8e13e940f701f6338e9de521ab9f3ae340f8f05b93c3c9be8da1
Instruction ID: 0118c480f180abf36344ef73607711149e393c60e44ca10a6166292a12e085e3
Opcode Fuzzy Hash: f760a4477d8e8e13e940f701f6338e9de521ab9f3ae340f8f05b93c3c9be8da1
Instruction Fuzzy Hash: EE21A122B00105AAEB348B25D921AE777EEFF54B54B568424E9CAD7214E732DEC1C390

Function 0041D5B0 Relevance: 8.5, Strings: 6, Instructions: 1030COMMON

Download Yara Rule

Strings

klSm, xrefs: 0041D930
+, xrefs: 0041DD87
wJsU, xrefs: 0041D938
J_\e, xrefs: 0041D969
JSQC, xrefs: 0041D974
iWDB, xrefs: 0041D948

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: +$JSQC$J_\e$iWDB$klSm$wJsU
API String ID: 0-48882314
Opcode ID: 6b08c17d73f50599bc3423449fc688f48cd1f5fde1254425c14f9c76bad262bb
Instruction ID: 6539de25e02be62e166c2d6d1fbf72afe4b3ae9106669352150e090de26398d0
Opcode Fuzzy Hash: 6b08c17d73f50599bc3423449fc688f48cd1f5fde1254425c14f9c76bad262bb
Instruction Fuzzy Hash: 1B72597090C3518FC725CF29C8406AFBBE1AF95314F188A6EE8E58B392D738D946C756

Function 00819512 Relevance: 7.7, APIs: 5, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 00814463: GetLastError.KERNEL32(00000000,?,00816842), ref: 00814467
Part of subcall function 00814463: SetLastError.KERNEL32(00000000,?,?,00000028,00810A12), ref: 00814509

GetUserDefaultLCID.KERNEL32 ref: 0081961A
IsValidCodePage.KERNEL32(00000000), ref: 00819658
IsValidLocale.KERNEL32(?,00000001), ref: 0081966B
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 008196B3
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 008196CE

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: d19c36f2d4e78ad167d7931df37e9aabbbee04f1f6b56833a8daf4f0afb28147
Instruction ID: e2d1609109e7846b41b7ac8c9707ca98482378d70fc3dc50bb9e3ac43bdc757e
Opcode Fuzzy Hash: d19c36f2d4e78ad167d7931df37e9aabbbee04f1f6b56833a8daf4f0afb28147
Instruction Fuzzy Hash: 89518C71A00219EBDF21DFA9DCA1EEA77BCFF58700F144429F941E7190EB7099808B61

Function 0041B9A0 Relevance: 6.8, Strings: 5, Instructions: 597COMMON

Download Yara Rule

Strings

w, xrefs: 0041BB33
IG, xrefs: 0041BB2B
C@, xrefs: 0041BC38
YF, xrefs: 0041BF7A
>j%h, xrefs: 0041BF90

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: >j%h$C@$IG$YF$w
API String ID: 0-3977256543
Opcode ID: b1c41823cc40404da43d45bdcbf5a05d767afae4a0658e6817707d5df229ca96
Instruction ID: bddec1b54a39677e85b17c04ceb6ad18fd944dcb43d24b0713774ccf1a2472f2
Opcode Fuzzy Hash: b1c41823cc40404da43d45bdcbf5a05d767afae4a0658e6817707d5df229ca96
Instruction Fuzzy Hash: A302107260C3408BD704DF69C8516ABFBE2EFD6314F09882DE4D58B392E7389545CB9A

Function 00409400 Relevance: 6.6, Strings: 5, Instructions: 366COMMON

Download Yara Rule

Strings

9Z, xrefs: 004096BF
j*Dk, xrefs: 0040957B
hi, xrefs: 004097F3
f*Dk, xrefs: 00409531
QB, xrefs: 004096C7

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: 9Z$QB$f*Dk$hi$j*Dk
API String ID: 0-1355044455
Opcode ID: b730e9b78eb2bf3f614c61d1bfed981cc9b54103566f3d92fdc9fb82601dc528
Instruction ID: f303c378167b457a4bc42ceebe78ce79b7bb772c8b3d846b3dc4aa0fafa8ed13
Opcode Fuzzy Hash: b730e9b78eb2bf3f614c61d1bfed981cc9b54103566f3d92fdc9fb82601dc528
Instruction Fuzzy Hash: 85B1227161C3808BD718DF65C8516ABBBE2EBD2304F14892DE0E59B392D73CD50ACB5A

Function 00812370 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd5e9c3d5b8dfd3e6dc0569d32db29be04432f65769e57fa47aedbbc9c5abd24
Instruction ID: aa88c898afec6d94c20c16a356c15da0d6d2fbf0a60cd344dfd2c9ab35536e97
Opcode Fuzzy Hash: bd5e9c3d5b8dfd3e6dc0569d32db29be04432f65769e57fa47aedbbc9c5abd24
Instruction Fuzzy Hash: DE022A71E012199FDF14CFA9D890AEEBBB5FF48314F248269D919E7380D731A9918B90

Function 00807EDA Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00807EE6
IsDebuggerPresent.KERNEL32 ref: 00807FB2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00807FCB
UnhandledExceptionFilter.KERNEL32(?), ref: 00807FD5

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: d33fa7ca547c97462579e30e354f9fed07c02c3df8489752b1ebda8de3127b90
Instruction ID: 263957b074e0fbb8bb38a856debdcc13a6201b958f263c16c57b1378beba0f7e
Opcode Fuzzy Hash: d33fa7ca547c97462579e30e354f9fed07c02c3df8489752b1ebda8de3127b90
Instruction Fuzzy Hash: 5531E775D053299BDB61DF64DD49BCDBBB8BF08300F1041AAE40DAB290EB719A85CF45

Function 00417207 Relevance: 5.4, Strings: 4, Instructions: 423COMMON

Download Yara Rule

Strings

L4, xrefs: 004172E0
Oslm, xrefs: 00417589
3wA, xrefs: 00417515, 0041772D
L4, xrefs: 00417600

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID: 3wA$Oslm$L4$L4
API String ID: 2994545307-2234767502
Opcode ID: 55b4a41372dca712092a1eaecccb805a59e03ac2c14743f54ca86adce86c54c9
Instruction ID: 307d0b6bb99e80c2126adcaddeb59da55b998df86b0f55e95dd8da5ebd5bfe2f
Opcode Fuzzy Hash: 55b4a41372dca712092a1eaecccb805a59e03ac2c14743f54ca86adce86c54c9
Instruction Fuzzy Hash: BFD147716083419FD724CF28C8817ABB7E2ABC6314F188A3DE4D983392D735D856CB86

Function 00415506 Relevance: 4.1, Strings: 3, Instructions: 328COMMON

Download Yara Rule

Strings

7, xrefs: 00415649
gfff, xrefs: 00415694
WT, xrefs: 004155E0

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: 7$WT$gfff
API String ID: 0-3918836065
Opcode ID: 21742d871e8e7565f4799f0f6b61d9b2b9d4d7a893c2c2e2db77cf6dadadda6d
Instruction ID: b46a7ac6f51d3cab31650695944aba32df2089761ef6db5e6300506385caa733
Opcode Fuzzy Hash: 21742d871e8e7565f4799f0f6b61d9b2b9d4d7a893c2c2e2db77cf6dadadda6d
Instruction Fuzzy Hash: D8A13A73A106008FD318CA29CC517FBB7D3ABC5324F1AC63ED456CB2D9EA3898468785

Function 0041A3A0 Relevance: 3.9, Strings: 3, Instructions: 173COMMON

Download Yara Rule

Strings

Ju, xrefs: 0041A428
tu, xrefs: 0041A438
w~, xrefs: 0041A430

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: Ju$tu$w~
API String ID: 0-2718015323
Opcode ID: 097feee570f0975cec72a38ba8a996f2834307db561bb98c5cd56739510201ab
Instruction ID: 3c52c23171b1d345c2d49e998851337e4974a2c3d886fd1ac3d2f2ae50b48a00
Opcode Fuzzy Hash: 097feee570f0975cec72a38ba8a996f2834307db561bb98c5cd56739510201ab
Instruction Fuzzy Hash: 6F41AA700093918BC724CF29C8606BBBBE0EF83364F04495DE5D28B291E3BD9945CB97

Function 0042963E Relevance: 3.9, Strings: 3, Instructions: 150COMMON

Download Yara Rule

Strings

KJIH, xrefs: 004296D0
xlc=, xrefs: 00429656
xlc=, xrefs: 00429737

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: KJIH$xlc=$xlc=
API String ID: 0-3693430147
Opcode ID: fabc35b66f8c2596e72524153f4b394535b339161b76d9f65bb372e29679637f
Instruction ID: 1df2b0cd354e5eb9382eacdd7d6201147e9d1f654fc09427a9397325319c904e
Opcode Fuzzy Hash: fabc35b66f8c2596e72524153f4b394535b339161b76d9f65bb372e29679637f
Instruction Fuzzy Hash: 4441F53AB69724DBC7289F59ECC152AF7E1EB99710F84543ED982DB311C728DC01878A

Function 00426639 Relevance: 3.1, Strings: 2, Instructions: 613COMMON

Download Yara Rule

Strings

@gB, xrefs: 00426820, 00426B5F
kim}, xrefs: 00426689

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: @gB$kim}
API String ID: 0-565826954
Opcode ID: b1b090e9ca6fc6666c9fc869038212e4a7a892abaffb0db607ce72a36e96b015
Instruction ID: 9883a33267a4edeb7d73dc9f2210c431252dad24f6d1f8ca6899b908e8f0c5d9
Opcode Fuzzy Hash: b1b090e9ca6fc6666c9fc869038212e4a7a892abaffb0db607ce72a36e96b015
Instruction Fuzzy Hash: 1E225875E04265CFCB14CF68D8916AEBBB1EF49304F1980AED851AB352C739AD06CBD4

Function 00801A80 Relevance: 3.1, APIs: 2, Instructions: 56encryptionCOMMON

Download Yara Rule

APIs

FreeConsole.KERNEL32 ref: 00801A90

Part of subcall function 00801B30: _strlen.LIBCMT ref: 00801B4A

Part of subcall function 00803510: std::_Lockit::_Lockit.LIBCPMT ref: 0080352C
Part of subcall function 00803510: std::_Lockit::_Lockit.LIBCPMT ref: 0080354A
Part of subcall function 00803510: std::_Lockit::~_Lockit.LIBCPMT ref: 0080356C
Part of subcall function 00803510: std::_Lockit::~_Lockit.LIBCPMT ref: 008035DA

CryptDestroyKey.ADVAPI32(00000000,00000000), ref: 00801B07

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$ConsoleCryptDestroyFree_strlen
String ID:
API String ID: 3784716463-0
Opcode ID: 7d8d5295100f1e321bb8ac01abc6a92fc0ec73a40849dd221d1af593e4db78a6
Instruction ID: 69d76e6f2789b0d6461c114d602e58c2c9d7283fcc64e815d977965180b1ce7f
Opcode Fuzzy Hash: 7d8d5295100f1e321bb8ac01abc6a92fc0ec73a40849dd221d1af593e4db78a6
Instruction Fuzzy Hash: D21130347002009FCB94AB78DC5EA2A7BE4FF89751B458468F44ACB3E2DA30DC41CB52

Function 0040E49F Relevance: 2.8, Strings: 2, Instructions: 259COMMON

Download Yara Rule

Strings

p{-s, xrefs: 0040E768
p{-s, xrefs: 0040E5E5

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID: p{-s$p{-s
API String ID: 2994545307-716220686
Opcode ID: c17edae38290082421aab57eeee7405bbad7843d87237c1d09d18468a9e4a85b
Instruction ID: f0c58c42614237375e365d72bc3c7a37cc96942c1005d0a9fe5c86925e2313ea
Opcode Fuzzy Hash: c17edae38290082421aab57eeee7405bbad7843d87237c1d09d18468a9e4a85b
Instruction Fuzzy Hash: 48810435240601AFC728CB29CD92672B7E2EB8530871C8D7FD156D76A6D73DE8229B08

Function 00414555 Relevance: 1.9, Strings: 1, Instructions: 676COMMON

Download Yara Rule

Strings

D]+\, xrefs: 004149E0

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: D]+\
API String ID: 0-1174097187
Opcode ID: 37d169aeffd20a6d30b692ee132c77559bea1e1f5ad44dc3e956a8bc2b39f910
Instruction ID: 6eaa0e288d17af3073420727940d7316843beff06a9f480f376b440b66a0ce76
Opcode Fuzzy Hash: 37d169aeffd20a6d30b692ee132c77559bea1e1f5ad44dc3e956a8bc2b39f910
Instruction Fuzzy Hash: 8302E679918350EFD7188F64E84066BBBE1BBDA300F19493EE8C197351C63DD852CB9A

Function 00415E9A Relevance: 1.7, Strings: 1, Instructions: 496COMMON

Download Yara Rule

Strings

z, xrefs: 00416241

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID: z
API String ID: 2994545307-1657960367
Opcode ID: 6666a717bb8fe0fe04051d01c6cae9e4068ff36f01719d603cb9308df52f8cb1
Instruction ID: a41510cab639ff2c168ed1a461397d8e6c98ec91fc98b876038bb987118f98da
Opcode Fuzzy Hash: 6666a717bb8fe0fe04051d01c6cae9e4068ff36f01719d603cb9308df52f8cb1
Instruction Fuzzy Hash: 7FD12934A083409FD724CF2598907BBB7E2EBDA314F19592EE0D657291C738D847CB5A

Function 004393D0 Relevance: 1.7, Strings: 1, Instructions: 454COMMON

Download Yara Rule

Strings

056w, xrefs: 004394F9

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID: 056w
API String ID: 2994545307-3031594284
Opcode ID: 0fe2b6f902d06aabeca67469abf310754523655c84f2f5807defee55d6baa741
Instruction ID: 1e524d56f986b60e63968127200a34d937c12baad4a8d406414dac60ed768612
Opcode Fuzzy Hash: 0fe2b6f902d06aabeca67469abf310754523655c84f2f5807defee55d6baa741
Instruction Fuzzy Hash: C0C17A72A083005BD3249E24CCC277BB7A2EBCA314F18A52ED59557391D6BCDC46C79A

Function 00421B00 Relevance: 1.7, Strings: 1, Instructions: 440COMMON

Download Yara Rule

Strings

\l, xrefs: 00421E41

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: \l
API String ID: 0-332606932
Opcode ID: d407e83e5b23b8a197dc5e6ebc907db7647ac39686a9a52a72d8a168eeafba0b
Instruction ID: 852c598ae3c60e65e129f9c36e5a4a5eb34ebc179e5d94f45104046a45fe5565
Opcode Fuzzy Hash: d407e83e5b23b8a197dc5e6ebc907db7647ac39686a9a52a72d8a168eeafba0b
Instruction Fuzzy Hash: E7B18D72A143209BD7249F24AC82677B3B1EFA1314F99852EECC557351E23CEC05C79A

Function 00417AB8 Relevance: 1.6, Strings: 1, Instructions: 330COMMON

Download Yara Rule

Strings

_, xrefs: 00417E13

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 3ff23ee7246873a1d2290c2c33a05e402a47fac2e6bc1f01ede407cef3bf6af9
Instruction ID: 2874f46035bf117a80d7d2a23349d9cb71d49021efdfc033c4a59cdebb79e407
Opcode Fuzzy Hash: 3ff23ee7246873a1d2290c2c33a05e402a47fac2e6bc1f01ede407cef3bf6af9
Instruction Fuzzy Hash: 86B1F77560C3408BD7258F2898617FBBBF2ABDA314F28497ED4C687382D7389851875A

Function 00440770 Relevance: 1.5, Strings: 1, Instructions: 297COMMON

Download Yara Rule

Strings

TUVW, xrefs: 004407F8, 004408C2

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID: TUVW
API String ID: 2994545307-380802359
Opcode ID: 4d66da3c77af8b016ec54a6894f69458ce8ff3ed0ee1aff86ead904b19b2c1b2
Instruction ID: 7047d3b5c699d964b661b5aab337125677ab7b56ce49f2f3292149c0b4397d23
Opcode Fuzzy Hash: 4d66da3c77af8b016ec54a6894f69458ce8ff3ed0ee1aff86ead904b19b2c1b2
Instruction Fuzzy Hash: 659165717083019FE325DF68D880A2BB7E2EBD6310F18893DE69597391C639DC16CB96

Function 00440450 Relevance: 1.5, Strings: 1, Instructions: 295COMMON

Download Yara Rule

Strings

/4-", xrefs: 00440452

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID: /4-"
API String ID: 2994545307-255669811
Opcode ID: 63d2ecc0e103ed6448d142feec97063014732cb18ef782f8fe19315788f44d47
Instruction ID: 5d47b2a4792fb15c73dd9788517ba42da93c73d11f813630f87d1316b5251ac7
Opcode Fuzzy Hash: 63d2ecc0e103ed6448d142feec97063014732cb18ef782f8fe19315788f44d47
Instruction Fuzzy Hash: B8913835604311AFE720DF28C88066BB7E2EFD4750F19852DEA815B395DB39EC62C785

Function 0042B8BD Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

c`^Z, xrefs: 0042BA6B

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: c`^Z
API String ID: 0-4018570465
Opcode ID: 9eaaeac1af0046f77bfdce008b90eb0f0d12110f4699f489367c40e366593788
Instruction ID: 84572387e2f9d8e30e4a59fcb4903cfd6437d21f2140ce11b4878cf53556221a
Opcode Fuzzy Hash: 9eaaeac1af0046f77bfdce008b90eb0f0d12110f4699f489367c40e366593788
Instruction Fuzzy Hash: DA513576A0C3A18BC335CF3998903E7BBE2AF96704F58896EC4C99B205DA3845058786

Function 0042B963 Relevance: 1.4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

c`^Z, xrefs: 0042BA6B

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: c`^Z
API String ID: 0-4018570465
Opcode ID: d783b575065614c62e39edefdac40061046f0ec8c49e4bcc71ff719ed9c249e9
Instruction ID: 62403507b67e3add205e3cb6eb23e8c84b81608dc76150191bd4437fa6a5d6a1
Opcode Fuzzy Hash: d783b575065614c62e39edefdac40061046f0ec8c49e4bcc71ff719ed9c249e9
Instruction Fuzzy Hash: 8241477061C3D18BD735CF3994903E7BBE1EB97700F68896DC0C987246DB3844068B96

Function 0042BB66 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

KI, xrefs: 0042BCAA

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: KI
API String ID: 0-1977173829
Opcode ID: 9817d8d2cd989187cfd65775c6c2d6774b5ae1b7bccca7278f7fa6d8ef7e6c81
Instruction ID: 91a34f79fce4890eca5ccf24ac22c1236428951ee7d79aa7463c0d4d2c87feab
Opcode Fuzzy Hash: 9817d8d2cd989187cfd65775c6c2d6774b5ae1b7bccca7278f7fa6d8ef7e6c81
Instruction Fuzzy Hash: 9C41F43564C7908AD3358F34D8943EABBF1ABD6300F58866DD4C99B382CB7855069B86

Function 0041B25A Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

q, xrefs: 0041B361

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: q
API String ID: 0-4110462503
Opcode ID: fc3bb61bfd94ae5a3fae19a49a936b96d29985acd56f8c40518c59ddd57b5efb
Instruction ID: 93a25755fb4b0333ef7b556c8c5401fcb28c9ec14eb27c0752a44160350e560f
Opcode Fuzzy Hash: fc3bb61bfd94ae5a3fae19a49a936b96d29985acd56f8c40518c59ddd57b5efb
Instruction Fuzzy Hash: AA41583464C340ABC7054B24DC06B6E7BA1AF97B05F04896EF5E18B2E1C7798815CB8B

Function 0042BB60 Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

KI, xrefs: 0042BCAA

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: KI
API String ID: 0-1977173829
Opcode ID: 1cb5d465071201c5d4a5cc368f7d339e4b5fbc63d8b3d73cbb9a409c79d20b7b
Instruction ID: aae285d08021c98cc9ad7b5e59d58feaf1cef8b380b4a0bc2b22dfea0a95e3f8
Opcode Fuzzy Hash: 1cb5d465071201c5d4a5cc368f7d339e4b5fbc63d8b3d73cbb9a409c79d20b7b
Instruction Fuzzy Hash: CF411675A4C7908BD3258F34D8943EABBF1FBC5300F588A6DD4C99B385CB7854069B86

Function 0041864E Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

v, xrefs: 00418685

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: v
API String ID: 0-1801730948
Opcode ID: d255b25c69fcc9c8248d0df40f5e3549dd583127a3b06a41a83426b700faeda1
Instruction ID: 9699c58770c97fb3a7005195816939a3fdc948d4c1fc9f16f5ad9316cf85a81d
Opcode Fuzzy Hash: d255b25c69fcc9c8248d0df40f5e3549dd583127a3b06a41a83426b700faeda1
Instruction Fuzzy Hash: EB11E276D187618BC310CF34C98028FBAE2ABC9315F16892DE4C5A3315D678CD48CB8B

Function 0043E450 Relevance: 1.3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

Strings

lhin, xrefs: 0043E460

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: lhin
API String ID: 0-138776974
Opcode ID: 8b26fef1caf86ef8e11393a310a0b5113c05f2ec9044265c383a10711fd843b9
Instruction ID: 7fd97130cce7ea1aa8fbfb12d6e93ce7f630f2e99416a8fc191b46fa008a84d9
Opcode Fuzzy Hash: 8b26fef1caf86ef8e11393a310a0b5113c05f2ec9044265c383a10711fd843b9
Instruction Fuzzy Hash: D0F0E236F742848BD708CFB9CC4226A66E3DB1A204B18D43DC456E3741E128E8014F18

Function 0043DB10 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

/lmb, xrefs: 0043DB25

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: /lmb
API String ID: 0-3946268590
Opcode ID: b2d4435d6592d3df5b43c8a07f37ef4b00b2396ced98faf09dab045db6f26371
Instruction ID: a5e828aa6f98702fee6d9b5aa253f0e325b3382cd617644059fa6236e749b797
Opcode Fuzzy Hash: b2d4435d6592d3df5b43c8a07f37ef4b00b2396ced98faf09dab045db6f26371
Instruction Fuzzy Hash: C2F06579A449C58BDB54CF38ADB52B777F0E74B215F1029B8C602E36A0DA7098518A0C

Function 0043F730 Relevance: .6, Instructions: 579COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d53a1485c9af1d75df7a3ff55b9b87dfe617749fb47fde82fc328e9d4b398f8
Instruction ID: 9440bc60363055fc7741ad62e826ac52b0005078bc596843184142e62853e9a9
Opcode Fuzzy Hash: 8d53a1485c9af1d75df7a3ff55b9b87dfe617749fb47fde82fc328e9d4b398f8
Instruction Fuzzy Hash: 98022576A58211CFC708CF38D89056AB7E2FB8E310F0A857DD985D7361EA35AC15CB85

Function 004058D0 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 706edc3a786295cd9b7db35b8e16aa02d11b2287f3acf26f8c1a695ff84f42ae
Instruction ID: d1bd641e04ddd3f8c80cfe45303f140b1f3ce863c723953b48f0dca61e0ef25d
Opcode Fuzzy Hash: 706edc3a786295cd9b7db35b8e16aa02d11b2287f3acf26f8c1a695ff84f42ae
Instruction Fuzzy Hash: D9F1F0356087418FD724CF29C88162BFBE6EFD9304F48882EE4C987791E679E804CB56

Function 004163C0 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3ab4a498aea012455a196c87bfb12ae395396078d703b40940b2bba2e7ea504d
Instruction ID: d7541f2fca1ccae41e83f46ef6531090e0b4554b2222c138a89db1d633840617
Opcode Fuzzy Hash: 3ab4a498aea012455a196c87bfb12ae395396078d703b40940b2bba2e7ea504d
Instruction Fuzzy Hash: 52A17875A083408FD7158F38D8817BBBBE2EB9B318F09457ED4D997292D638C941CB1A

Function 00440180 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8d66d1b63ea40d27ca9942e33a50a58befb0b080ec6b55567d6716aceb98b39d
Instruction ID: c9d4c165c56bfbf3c03a271f9fb192967cfd025fb11622c30a046a2f8b83f669
Opcode Fuzzy Hash: 8d66d1b63ea40d27ca9942e33a50a58befb0b080ec6b55567d6716aceb98b39d
Instruction Fuzzy Hash: 618106352443019BE7249F18D480A2FB7E2FFD9750F15846DEA859B391DB38DC61C78A

Function 00417745 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cc985996d123b44c06bdbe62607eeac046dd191f9733dc24fca1af59f0d703a
Instruction ID: b8f4197d2f7c9f56fe9597a4586bb863907c9934a7ce81ce2e300af997d9591d
Opcode Fuzzy Hash: 6cc985996d123b44c06bdbe62607eeac046dd191f9733dc24fca1af59f0d703a
Instruction Fuzzy Hash: 398117B190C2018FC714DF28C8916ABB7F1AF95304F18492EE4D987392E738E945CB9B

Function 0043CEA0 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e28be7b75410f075c26fcddfdb7d548f0538016a9353fd7724876d478ba0bf56
Instruction ID: f9dc6b06319712505be0b00d1611807c54d1d8e9fe27d53802d70cc7455a1389
Opcode Fuzzy Hash: e28be7b75410f075c26fcddfdb7d548f0538016a9353fd7724876d478ba0bf56
Instruction Fuzzy Hash: 1E81A57460D3428FC719CF29C49062EBBE2AFC9314F18866EE4E587382D639D846CB56

Function 0040D11B Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e7cc8c59f2c18173cea31accb2a176d643aef917dc6008e0370f2a834755b9a
Instruction ID: b8d103c4c60b49fbe0ba22ba74ead3f046f8f308e92d5c9b0b08579b41597fc8
Opcode Fuzzy Hash: 9e7cc8c59f2c18173cea31accb2a176d643aef917dc6008e0370f2a834755b9a
Instruction Fuzzy Hash: 8C51BC72B407004BDB184F79CC52377B6A3AFE6321F1D967DD0969B7D6E63898028308

Function 0042B215 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9dd72832e23b2b70cc6ebba476d32fddb174955166605a8e5e5476f3b589601
Instruction ID: 74bc6ab1bbaf3b69a7a1375347432e2d302a30213048b9414b69be7e4a431046
Opcode Fuzzy Hash: f9dd72832e23b2b70cc6ebba476d32fddb174955166605a8e5e5476f3b589601
Instruction Fuzzy Hash: 5A415CB5A0D3A58BD3358B2898643B7BFD0DFA3304F28089EE8DA57351D779480587D6

Function 0040D907 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 224b885b2d33e1646e8711822722071e2e6a455e5a6b5f8b883611f4457d948c
Instruction ID: 9e15d2c07ce86351c6ebb163d7bbc7b39beeeef97fa94347135c7c3a5bbe2237
Opcode Fuzzy Hash: 224b885b2d33e1646e8711822722071e2e6a455e5a6b5f8b883611f4457d948c
Instruction Fuzzy Hash: 7641C8356147018FC729CF68C991962BBE2FB8A314318D66EC5A6C7795C638E846CB48

Function 0042D0CD Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 849d42350171ca48efb55d505f96f00e9424a06188308212bc96382af344ee5e
Instruction ID: c62614d48869f4b7cb033b57bff67ce6e552f370dc62dc9228bf6d030800f41c
Opcode Fuzzy Hash: 849d42350171ca48efb55d505f96f00e9424a06188308212bc96382af344ee5e
Instruction Fuzzy Hash: 28412435B083514BD328CA3C9C6137BBBE2DBD6311F688A6DE5D1C7799E639C8018709

Function 00431090 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1e287b6af470a4836ba702f679e526087b3bd0373f60ee188e5bb2a01d68630
Instruction ID: 84194131cc4f8b84b750925c12b59854d875876917f728ca93255e0c5ed1df3f
Opcode Fuzzy Hash: e1e287b6af470a4836ba702f679e526087b3bd0373f60ee188e5bb2a01d68630
Instruction Fuzzy Hash: 029150B451A3808BE374DF05D59868FBBE1BBDA308F21891E849C4B350CFB95549CF9A

Function 00418DC5 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68369d8ce4395c08367e492fe15488f5d03cf08260391901d633e0d06336e0d3
Instruction ID: 52f43bb69bf967e13d8b8cf2b488c67a51938e76d39e84f9618a723eb99c5912
Opcode Fuzzy Hash: 68369d8ce4395c08367e492fe15488f5d03cf08260391901d633e0d06336e0d3
Instruction Fuzzy Hash: F94126B5908380DFE3309B259C417ABB7A6EB93308F18493DE895532A2DF359815CB5B

Function 00418F52 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4ff31274707ca65935b0076e1da50561794554b8f4a8f1593c33844884775f5
Instruction ID: 99084ae7948e4e969f5cab21ab752441f84075a4ec3b964ea1b353b24493650c
Opcode Fuzzy Hash: e4ff31274707ca65935b0076e1da50561794554b8f4a8f1593c33844884775f5
Instruction Fuzzy Hash: 7621B0705082418BD7258B28C8B17F777F0EF9B324F085A9DD8D68B392E7389845C71A

Function 0043D325 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 643e9d03ab5afcafe616b615b53e5a37d48034b3075b442a74698f38aaaabc60
Instruction ID: ecce191509777419fe2065107418a7e373d2744f15f7fbda99c47c06ac08e1c0
Opcode Fuzzy Hash: 643e9d03ab5afcafe616b615b53e5a37d48034b3075b442a74698f38aaaabc60
Instruction Fuzzy Hash: 3B31EDB5D102428FDB04CF74EC525AABFB1FB1B314F48647EC481AB262D6399885CF98

Function 004167E1 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f3b10b11253cc296a0d9c865126b629071b74f1f080cf1e7f02cbc040023e2df
Instruction ID: 7b77d76e57314b8d537e66dbda0905c5b71d9ff5251147711cb921c64f52ab4a
Opcode Fuzzy Hash: f3b10b11253cc296a0d9c865126b629071b74f1f080cf1e7f02cbc040023e2df
Instruction Fuzzy Hash: 70114C746493009BDB25AB1898D09777762EBD6328F15193ED09217262D334DCD3CB0E

Function 00416896 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 655e66a32f0ec6ef73855cb929e808cb87c538b78d40acdce1f821a373a6cf25
Instruction ID: 49c952b68e76756303a7cfa84cb587e570531a8abc643f2441ca8aaef1216cf7
Opcode Fuzzy Hash: 655e66a32f0ec6ef73855cb929e808cb87c538b78d40acdce1f821a373a6cf25
Instruction Fuzzy Hash: 1A1151386493408BD7299B2584D05BBB7A1EBDA338F25172EC096532A1C738DCD7CB0E

Function 0041598C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 29e91d9988e56fa95ee0bac092a28827551d4b9ddbe0ca82728a5e9a0aba38af
Instruction ID: 61a3990d51287a321700371caea8ac95de16791a53993df06537a25f78a5eb73
Opcode Fuzzy Hash: 29e91d9988e56fa95ee0bac092a28827551d4b9ddbe0ca82728a5e9a0aba38af
Instruction Fuzzy Hash: 5C01D674A98740DBD3708B189581AEBB7B5FBCA324F545B2DD0C593250D634D892CB8E

Function 00435F00 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 5939802b1301af77679c215306a21a7299ef6c9da27cc0b365f9f239b0c19f2f
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 6C110833B055D50EC3168D3C8400565BFA30AA7234F6D93DAF4B89B2D6D6278D8B8399

Function 0040C4AE Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2e33bdc19f01c0d864218a4dc0cc21f643ae0fc09979f94a9809007749323a0
Instruction ID: b8e46fd4180620e8fa4f02fa5b31e0b327415897175f02e2bb6ac1baa248a022
Opcode Fuzzy Hash: b2e33bdc19f01c0d864218a4dc0cc21f643ae0fc09979f94a9809007749323a0
Instruction Fuzzy Hash: 011125346555019AE34DCB34C8E6B7AA363EF43304B64622DD113A32E5DB796816C61C

Function 00429E80 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae974aa015cb9a2e7ca8e05bc068c22be5d530372e1f024b1e298d7d6b666928
Instruction ID: a27733a69205e04c464837f65cce1e328396de0a29cbbd258d365049883dbe47
Opcode Fuzzy Hash: ae974aa015cb9a2e7ca8e05bc068c22be5d530372e1f024b1e298d7d6b666928
Instruction Fuzzy Hash: 7401B1F1B0031257DB20DF51A4C0727B2A9AF84708F4A453EE8485B382EB7DFC08C69A

Function 0042C89E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41aecbbb57f341e3239aeda4c52079f99c77c3874fd3ef38ef81509e98e606fa
Instruction ID: 94a2685e38f00eaf1eb05f0091b19f393d3aa0123d7ed6f17fd2bfd551075456
Opcode Fuzzy Hash: 41aecbbb57f341e3239aeda4c52079f99c77c3874fd3ef38ef81509e98e606fa
Instruction Fuzzy Hash: 9911E0727493000BE704CE3AA89016BFBE3AFD3214F2E983DD182C7725D93588078B4A

Function 004158FC Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 10f52bf2ee7c538ff9192ab8a2af5bf8fd1ae27d0c696df09dc7e206c4c89a3a
Instruction ID: fb47be4d804a9da23881eaf03f8acb819a2e87175e2b70562f1e2f5772406857
Opcode Fuzzy Hash: 10f52bf2ee7c538ff9192ab8a2af5bf8fd1ae27d0c696df09dc7e206c4c89a3a
Instruction Fuzzy Hash: C30126B4664700DBEB248B259C51BB7B7A1E7CA334F541A2DE0C2A31A1C6249890CA1F

Function 00402B70 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ec352bbe4cbc42230a0051b4d6dd25082a105aad7c4e020716a29c2d8aeb373
Instruction ID: 21743fce8f8fc89d95ce078a34e0e0e5e44fc2aba6199b741040941cf27e962f
Opcode Fuzzy Hash: 0ec352bbe4cbc42230a0051b4d6dd25082a105aad7c4e020716a29c2d8aeb373
Instruction Fuzzy Hash: 1CF0467B71821D0BD310DDA9FCC4577B3A6EBD5204B0A4139EA40A3381E8F4F80592A4

Function 0040B3BB Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17bcfa2246879958e6deeecfb3dd30fbf363363fe0cdfdf4ccd092ee3f1ec607
Instruction ID: 467d839b1f2edd79695e981d77696c97d4829d5b404480f02d90e7557cfed571
Opcode Fuzzy Hash: 17bcfa2246879958e6deeecfb3dd30fbf363363fe0cdfdf4ccd092ee3f1ec607
Instruction Fuzzy Hash: AD1192B09007029FE3649F19C899712FAB4BB06324F50978CE0695E6D2C3BAD589CFD5

Function 00409EB9 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c11dde4bea6cdc3f43d55281e8cc4d938954cac3924490b2dcf7e503bc37ced3
Instruction ID: b0d56012c3d891d04b8b069242e406f0bf4132553d77d7a172f771eb767dd099
Opcode Fuzzy Hash: c11dde4bea6cdc3f43d55281e8cc4d938954cac3924490b2dcf7e503bc37ced3
Instruction Fuzzy Hash: 1CF0A739A502158BCB04CF14C86277773B2EF8A312F046425D547EB392D3788C40C7A9

Function 0043F286 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7745721efb1b8d97eb5a387c513d230e70c93acfe341ed94793c9456cf5d554e
Instruction ID: 01548a179f3559cfb04f008a038ad398e0644e2916ec8190e41f8619e0e1dcf3
Opcode Fuzzy Hash: 7745721efb1b8d97eb5a387c513d230e70c93acfe341ed94793c9456cf5d554e
Instruction Fuzzy Hash: FFE02BBAF480108B530CCF16D8505B073E2A3CB311704E03CD44AD7311C931DC12560D

Function 00417A75 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 625efd3e6447be3ca96c1261227bd43839374db7b4a4fcb7db7caeaa54c905dd
Instruction ID: 71cc694b795eba117cf9378a5a53a8597336b0837f4540bad7c117c05afde082
Opcode Fuzzy Hash: 625efd3e6447be3ca96c1261227bd43839374db7b4a4fcb7db7caeaa54c905dd
Instruction Fuzzy Hash: DDD05E359142049AC7008F2DA500919B7F0EBC7750F00A52DB448E72A9CB71C8019709

Function 00424F80 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e1811e256de978feef4c3cd29b6a07caae766e2687f34a7759ddec68fd786fd
Instruction ID: d02d98b6c4407079e00ef93f935acfea29071d225d302e4f93154c128f20d5d8
Opcode Fuzzy Hash: 1e1811e256de978feef4c3cd29b6a07caae766e2687f34a7759ddec68fd786fd
Instruction Fuzzy Hash: FAB0127090C10087D504CF08C450470F378D747215F003418D00AB3102C310E800CA0C

Function 0043234E Relevance: 75.4, APIs: 1, Strings: 42, Instructions: 161memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00432400

Strings

", xrefs: 004324CB
Y, xrefs: 00432483
", xrefs: 0043253B
Q, xrefs: 00432446
/, xrefs: 00432423
o, xrefs: 0043243C
S, xrefs: 00432453
i, xrefs: 0043241E
U, xrefs: 00432463
:, xrefs: 00432370
I, xrefs: 0043237F
4, xrefs: 0043245B
], xrefs: 004324A3
6, xrefs: 004325CB
O, xrefs: 00432375
G, xrefs: 004324F3
O, xrefs: 00432533
_, xrefs: 004324B3
0, xrefs: 00432656
W, xrefs: 00432473
m, xrefs: 00432432
M, xrefs: 00432523
8, xrefs: 0043247B
A, xrefs: 004324C3
', xrefs: 0043255B
<, xrefs: 0043246B
+, xrefs: 004325AB
, xrefs: 0043242D
C, xrefs: 004324D3
H, xrefs: 0043237A
I, xrefs: 00432503
', xrefs: 0043254B
K, xrefs: 00432513
*, xrefs: 0043257B
M, xrefs: 0043236B
=, xrefs: 00432366
+, xrefs: 00432437
k, xrefs: 00432428
E, xrefs: 004324E3
=, xrefs: 0043235C
[, xrefs: 00432493
S, xrefs: 00432361

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: AllocString
String ID: $"$"$'$'$*$+$+$/$0$4$6$8$:$<$=$=$A$C$E$G$H$I$I$K$M$M$O$O$Q$S$S$U$W$Y$[$]$_$i$k$m$o
API String ID: 2525500382-871300800
Opcode ID: ea0acaf6d4cacd1ba90045e13a6227656fbadf6fad3af0bdaba31410a1091882
Instruction ID: cf4270bf8ffc7a5f823e8d7e11b60e879aec5e144cc898fab687690e48e742b5
Opcode Fuzzy Hash: ea0acaf6d4cacd1ba90045e13a6227656fbadf6fad3af0bdaba31410a1091882
Instruction Fuzzy Hash: 9291066150C7C1CDE3368638845879BBED11BA7218F088AADD5ED8B2D3C7BA4509CB67

Function 00432019 Relevance: 75.4, APIs: 1, Strings: 42, Instructions: 159memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 004320CE

Strings

U, xrefs: 00432131
O, xrefs: 00432043
M, xrefs: 004321F1
, xrefs: 004320FB
+, xrefs: 00432105
Q, xrefs: 00432114
0, xrefs: 0043231B
K, xrefs: 004321E1
C, xrefs: 004321A1
S, xrefs: 00432121
k, xrefs: 004320F6
], xrefs: 00432171
W, xrefs: 00432141
<, xrefs: 00432139
_, xrefs: 00432181
G, xrefs: 004321C1
/, xrefs: 004320F1
m, xrefs: 00432100
E, xrefs: 004321B1
+, xrefs: 00432279
I, xrefs: 004321D1
i, xrefs: 004320EC
8, xrefs: 00432149
o, xrefs: 0043210A
=, xrefs: 00432034
6, xrefs: 00432299
', xrefs: 00432219
M, xrefs: 00432039
A, xrefs: 00432191
S, xrefs: 0043202F
O, xrefs: 00432201
", xrefs: 00432209
*, xrefs: 00432249
:, xrefs: 0043203E
I, xrefs: 0043204D
[, xrefs: 00432161
Y, xrefs: 00432151
=, xrefs: 0043202A
4, xrefs: 00432129
', xrefs: 00432229
H, xrefs: 00432048
", xrefs: 00432199

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: AllocString
String ID: $"$"$'$'$*$+$+$/$0$4$6$8$:$<$=$=$A$C$E$G$H$I$I$K$M$M$O$O$Q$S$S$U$W$Y$[$]$_$i$k$m$o
API String ID: 2525500382-871300800
Opcode ID: e45984be38196b5c8ff72e5588430cd25e3479d51ec099cdc983a58aa1c9b1d2
Instruction ID: 865d247f53da1c212b644144c37fe5ba321bca7ef231fb23b2e03194a57c13c3
Opcode Fuzzy Hash: e45984be38196b5c8ff72e5588430cd25e3479d51ec099cdc983a58aa1c9b1d2
Instruction Fuzzy Hash: 5C91E76110C7C18DE3368638885879BBED11BA7218F188A9DD1ED8B2D3C6BA454AC767

Function 00431512 Relevance: 24.6, APIs: 2, Strings: 12, Instructions: 97COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0043151C
VariantInit.OLEAUT32 ref: 0043152F

Strings

g, xrefs: 0043159D
s, xrefs: 0043154D
~, xrefs: 00431575
Z, xrefs: 00431593
t, xrefs: 00431561
p, xrefs: 004315BB
c, xrefs: 004315B1
w, xrefs: 00431557
a, xrefs: 0043156B
p, xrefs: 004315A7
{, xrefs: 00431589
n, xrefs: 0043157F

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Z$a$c$g$n$p$p$s$t$w${$~
API String ID: 2610073882-3241135356
Opcode ID: e4bafa1799fc74d6fdec72762fe4337596049604b772f4dce9c6462e0ef1b261
Instruction ID: 5cfd81fbbfab52470edc20309123d5fdb3929ff031e16fa1184257613a9df237
Opcode Fuzzy Hash: e4bafa1799fc74d6fdec72762fe4337596049604b772f4dce9c6462e0ef1b261
Instruction Fuzzy Hash: 56412A7550D3C0CAE366CB28C49878FBFE26BD6308F58885CE5C50B396D6BA9509C763

Function 004329CE Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 94COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 004329F3

Strings

Z, xrefs: 00432A57
s, xrefs: 00432A11
p, xrefs: 00432A7F
c, xrefs: 00432A75
n, xrefs: 00432A43
w, xrefs: 00432A1B
~, xrefs: 00432A39
{, xrefs: 00432A4D
a, xrefs: 00432A2F
t, xrefs: 00432A25
p, xrefs: 00432A6B
g, xrefs: 00432A61

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitVariant
String ID: Z$a$c$g$n$p$p$s$t$w${$~
API String ID: 1927566239-3241135356
Opcode ID: 75c46943b2651eac38ca81ac704b743c7024d952c1a77a819c42d2055e78dec7
Instruction ID: 5e74e55bfebdbfff89dcf67c6b6cd9f6728498efe2e3599b3f27d88dd375cd61
Opcode Fuzzy Hash: 75c46943b2651eac38ca81ac704b743c7024d952c1a77a819c42d2055e78dec7
Instruction Fuzzy Hash: 9D414F7150D3C0CEE366CB28C49874BBFE25BD6308F49889DE5C44B396C6BA9509C763

Function 004336A0 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 131COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004336E2
GetSystemMetrics.USER32 ref: 004336F2

Strings

=C, xrefs: 0043379B
LGC, xrefs: 00433790
uDC, xrefs: 004337FE
zBC, xrefs: 00433840
AC, xrefs: 004338AE
*?C, xrefs: 00433882

Memory Dump Source

Source File: 00000002.00000002.1724447565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: MetricsSystem
String ID: AC$*?C$LGC$uDC$zBC$=C
API String ID: 4116985748-4161976543
Opcode ID: 02bb96d70cd6577b4178e4b39174d52ca7c32edb2cda6836f488a2f11afff723
Instruction ID: 1998a03cc5df2a2f33f1525dd043022f22112b898c887f3cf15ef20427d46a93
Opcode Fuzzy Hash: 02bb96d70cd6577b4178e4b39174d52ca7c32edb2cda6836f488a2f11afff723
Instruction Fuzzy Hash: 979149B011A384CBE774EF11C5597CFBAE1AB82308F11891ED29D4B250DBBA450DDF9A

Function 00823052 Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,0082303D,?,?,?,?,?,?,?,?,?), ref: 008230F8
__alloca_probe_16.LIBCMT ref: 008231B3
__alloca_probe_16.LIBCMT ref: 00823242
__freea.LIBCMT ref: 0082328D
__freea.LIBCMT ref: 00823293
__freea.LIBCMT ref: 008232C9
__freea.LIBCMT ref: 008232CF
__freea.LIBCMT ref: 008232DF

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 903100fb492fce0454b53e1d93a6af073346e2de4bf685b50c72b1d0eb1b7783
Instruction ID: f25a729a92367a8455f0e7faabcbdade3091a1b8399fcda08c6746b073058566
Opcode Fuzzy Hash: 903100fb492fce0454b53e1d93a6af073346e2de4bf685b50c72b1d0eb1b7783
Instruction Fuzzy Hash: 7871E872A04269EBDF209E98AC62BEE77B9FF49310F290055F904E7181D739DEC08761

Function 008084F5 Relevance: 12.2, APIs: 8, Instructions: 177COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 0080853C
__alloca_probe_16.LIBCMT ref: 00808568
MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 008085A7
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008085C4
LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00808603
__alloca_probe_16.LIBCMT ref: 00808620
LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00808662
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00808685

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 9320c174c4fded35abfce6e7a961a79e26ed61d492b07d2e2d6c8e8a80552622
Instruction ID: d3f89c3c2d1d620698a3740240df207198c3b44f880ff4f917e4b1602e410894
Opcode Fuzzy Hash: 9320c174c4fded35abfce6e7a961a79e26ed61d492b07d2e2d6c8e8a80552622
Instruction Fuzzy Hash: D251CC7260021AEFEB605F64CC49FAB3BA9FF50740F224029F965D62D0DF318D908A90

Function 0081712B Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 008171B1

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 0022c536f264df0fd022f58618f40cd4b78e8be5a313df6415c180dcdaad3927
Instruction ID: 905e176bb1e2ba2b921ac887834d3ab9431ff03678e35766bc51baa649fed947
Opcode Fuzzy Hash: 0022c536f264df0fd022f58618f40cd4b78e8be5a313df6415c180dcdaad3927
Instruction Fuzzy Hash: C6B16672A08355AFDB11CF28CC81BEE7BB9FF59300F244169E915EB382D2749981C7A1

Function 00809470 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 008094A7
___except_validate_context_record.LIBVCRUNTIME ref: 008094AF
_ValidateLocalCookies.LIBCMT ref: 00809538
__IsNonwritableInCurrentImage.LIBCMT ref: 00809563
_ValidateLocalCookies.LIBCMT ref: 008095B8

Strings

csm, xrefs: 0080954D

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: c568a752d75bf8a6e9a917946ac5880e7a90b0e67bdd15d29f82ae4e700544c6
Instruction ID: d15d2a7484a3e08860ea98b5b6a1aa18f9c23d53691354c6c5773b5114342d87
Opcode Fuzzy Hash: c568a752d75bf8a6e9a917946ac5880e7a90b0e67bdd15d29f82ae4e700544c6
Instruction Fuzzy Hash: 7641BD70A00218ABCF51DF69DC41A9EBBB4FF45324F148165E854EB393D731EA52CB91

Function 00808397 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 008083AB
AcquireSRWLockExclusive.KERNEL32(00803C74,?,?,?,?,?,?,00000000,00000000,00000000,0080156C,00000000), ref: 008083CA
AcquireSRWLockExclusive.KERNEL32(00803C74,ios_base::badbit set,?,?,?,?,?,?,?,00000000,00000000,00000000,0080156C,00000000), ref: 008083F8
TryAcquireSRWLockExclusive.KERNEL32(00803C74,ios_base::badbit set,?,?,?,?,?,?,?,00000000,00000000,00000000,0080156C,00000000), ref: 00808453
TryAcquireSRWLockExclusive.KERNEL32(00803C74,ios_base::badbit set,?,?,?,?,?,?,?,00000000,00000000,00000000,0080156C,00000000), ref: 0080846A

Strings

ios_base::badbit set, xrefs: 008083E1

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID: ios_base::badbit set
API String ID: 66001078-3882152299
Opcode ID: 704f96124e231c83856c98d379a58731462517b5ee3a2166179d7ad08019777f
Instruction ID: cf2a6be52f10f2cde9086f1f7d4f3c5b4dcac283d3f15f662586c1d8ac0aef43
Opcode Fuzzy Hash: 704f96124e231c83856c98d379a58731462517b5ee3a2166179d7ad08019777f
Instruction Fuzzy Hash: 8E412731900A0BDFCBA0DF64C88196AB7F5FF04314B604A29E5D6D7681DB34E9C5CB59

Function 008151F2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00815301,00801F9A,?,00000000,00804A74,00801F9C,?,00814ED6,00000022,FlsSetValue,00827C74,00827C7C,00804A74), ref: 008152B3

Strings

ext-ms-, xrefs: 0081525D
api-ms-, xrefs: 00815249

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 4e6b7944413d0bbe51c2bc9c32f8bcbe574c530f2f04072af0cad8b78c95f98b
Instruction ID: 2c2ec1a3248032914d8bc9d670d8a3628944364ff3b2cee5f8bdee548ae2d0bd
Opcode Fuzzy Hash: 4e6b7944413d0bbe51c2bc9c32f8bcbe574c530f2f04072af0cad8b78c95f98b
Instruction Fuzzy Hash: A4210233A01A25EBCB219B65AC45EDA7B6CFFC1760F200520ED16E7280D734ED80C6D0

Function 008087AC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 008087B2
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 008087C0
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 008087D1

Strings

GetTempPath2W, xrefs: 008087C6
GetSystemTimePreciseAsFileTime, xrefs: 008087BA
kernel32.dll, xrefs: 008087AD

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1047828073
Opcode ID: cacba16da9a813de6434ec663d9989ccd600993008d286ae1d57a040e1e5c8b4
Instruction ID: f773b5bd6a32458226ce18c10f4d3317fe07f6d04b5e2ddc87c22c708726e209
Opcode Fuzzy Hash: cacba16da9a813de6434ec663d9989ccd600993008d286ae1d57a040e1e5c8b4
Instruction Fuzzy Hash: D2D0C931589730AB83249F74BC0DCDE3EA4FF897127014512F812D2BA1DB780482EB95

Function 0081D1ED Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea0fb77b54b8d51d7a260a57cff2eac130bb2f381b3c5c46963ac60e64b7398
Instruction ID: 70762931f3a2d4cdf0944e47dfd3e67aaaf360a104da1929d3f37364c301657a
Opcode Fuzzy Hash: 7ea0fb77b54b8d51d7a260a57cff2eac130bb2f381b3c5c46963ac60e64b7398
Instruction Fuzzy Hash: 4AB10F70A04349AFDF119FADD840BEE7BBAFF45318F148158E915DB282C770A981CB65

Function 00812FAC Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00812FA3,00809247,00808033), ref: 00812FBA
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00812FC8
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00812FE1
SetLastError.KERNEL32(00000000,00812FA3,00809247,00808033), ref: 00813033

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8fcf58e757d15900c298c4b6b73b108989cf5ba9ebe40cb76745e1e2d607738c
Instruction ID: e64a75362baf80e680d4bb857a067d2a1281f9beb4899dc27f516a859214d7f0
Opcode Fuzzy Hash: 8fcf58e757d15900c298c4b6b73b108989cf5ba9ebe40cb76745e1e2d607738c
Instruction Fuzzy Hash: 3801D8321097216EA635267D7C86AD72EACFF057B5B60433AFA14D40F2EF514CD2D641

Function 00813874 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00813993
CallUnexpected.LIBVCRUNTIME ref: 00813C0C

Strings

csm, xrefs: 0081391E
csm, xrefs: 008138B1
csm, xrefs: 008139CA

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: 4e866a65a9f5899a9f32e1505b80967c4b197a311c76e8fad81d902efd5f4a92
Instruction ID: ff2133202f883c445648e05aae77f05e61466013245026b9ad72e782ee73f5cf
Opcode Fuzzy Hash: 4e866a65a9f5899a9f32e1505b80967c4b197a311c76e8fad81d902efd5f4a92
Instruction Fuzzy Hash: 61B14771800209EFCF25DFA8C8819EEBBB9FF14310F14455AF815AB216D775DAA1CB92

Function 00802EF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00802F0C
std::_Lockit::_Lockit.LIBCPMT ref: 00802F2A
std::_Lockit::~_Lockit.LIBCPMT ref: 00802F4C
std::_Lockit::~_Lockit.LIBCPMT ref: 00802FBA

Strings

ios_base::badbit set, xrefs: 00802EF2

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: ios_base::badbit set
API String ID: 593203224-3882152299
Opcode ID: dc3c71b1b61d25e7d184603bd26b6975230b6a15a82b50936e588853f0e10c2f
Instruction ID: 6e13393fcbb05fccfe9675d928018d0da15c5590c3e9fb5c7341019b33f1fa71
Opcode Fuzzy Hash: dc3c71b1b61d25e7d184603bd26b6975230b6a15a82b50936e588853f0e10c2f
Instruction Fuzzy Hash: 042168B1A042059FC7A0EF58DC59A1AB7A4FB94760F05895DF549CB2A2DB71AC40CF82

Function 00804BE3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00804BEA
std::_Lockit::_Lockit.LIBCPMT ref: 00804BF7
std::_Lockit::_Lockit.LIBCPMT ref: 00804C61
std::_Lockit::~_Lockit.LIBCPMT ref: 00804C7B

Part of subcall function 0080433F: _Yarn.LIBCPMT ref: 0080435F
Part of subcall function 0080433F: _Yarn.LIBCPMT ref: 00804383

Strings

bad locale name, xrefs: 00804C45

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Yarn$H_prolog3Lockit::~_
String ID: bad locale name
API String ID: 3084819986-1405518554
Opcode ID: 4655e1a41db3b3caaae2fafd704072b7f1d73bab1b2bf65f3bb5d7d235f580b6
Instruction ID: f98c7febb122af363c5153114b0fe452716bfe762aa0b2cbd994dfe946946f14
Opcode Fuzzy Hash: 4655e1a41db3b3caaae2fafd704072b7f1d73bab1b2bf65f3bb5d7d235f580b6
Instruction Fuzzy Hash: D71190B1941704DFC760DF6AD98168ABBE0FF28300F50592EE1CAC3691DB70AA84CB56

Function 0080DC95 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,008246BA,000000FF,?,0080DD56,0080DC3D,?,0080DDF2,00000000), ref: 0080DCCA
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0080DCDC
FreeLibrary.KERNEL32(00000000,?,?,00000000,008246BA,000000FF,?,0080DD56,0080DC3D,?,0080DDF2,00000000), ref: 0080DCFE

Strings

mscoree.dll, xrefs: 0080DCC3
CorExitProcess, xrefs: 0080DCD4

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 09acf3b4237b20551054fe898d31722471a2dc520a1a644f58dbe7651a6fd1fd
Instruction ID: 4e1c7fab9b366aca87bcaa86a0a88d9e108aa1f56df1ec024af4241e2dc85532
Opcode Fuzzy Hash: 09acf3b4237b20551054fe898d31722471a2dc520a1a644f58dbe7651a6fd1fd
Instruction Fuzzy Hash: 28016731554765AFDB219F90DC09FAEBBB8FB44B15F004525F812E27D0DB789941CA90

Function 008159C6 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00815A4B
__alloca_probe_16.LIBCMT ref: 00815B14
__freea.LIBCMT ref: 00815B7B

Part of subcall function 00814211: HeapAlloc.KERNEL32(00000000,00804A74,00801F9A,?,00809351,00801F9C,00801F9A,?,?,?,008046D6,00804A74,00801F9E,00801F9A,00801F9A,00801F9A), ref: 00814243

__freea.LIBCMT ref: 00815B8E
__freea.LIBCMT ref: 00815B9B

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: a477a48be08c8319dbdbdf4e8ee9d762bcac4c084e1d891bdcc8702e23707bd1
Instruction ID: 325771f2027c545810ba4570405577fda4d0c555fce504351fcdc25e8d21216a
Opcode Fuzzy Hash: a477a48be08c8319dbdbdf4e8ee9d762bcac4c084e1d891bdcc8702e23707bd1
Instruction Fuzzy Hash: AA5180B260464AEFEB209FA4DC81EFB7BADFF84720B254529FD04D6151EB70DC908661

Function 00805E93 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00805E9A
std::_Lockit::_Lockit.LIBCPMT ref: 00805EA4
int.LIBCPMT ref: 00805EBB

Part of subcall function 00804C50: std::_Lockit::_Lockit.LIBCPMT ref: 00804C61
Part of subcall function 00804C50: std::_Lockit::~_Lockit.LIBCPMT ref: 00804C7B

codecvt.LIBCPMT ref: 00805EDE
std::_Lockit::~_Lockit.LIBCPMT ref: 00805F15

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
String ID:
API String ID: 3716348337-0
Opcode ID: 01a555ad9e985830ec0eea8d1a73d925f21f572d71363ae4231ae009de5b46f1
Instruction ID: 01ca06a96fcbf7233bad72d146904118bc09f798afb0fc57eef180fabcab7aad
Opcode Fuzzy Hash: 01a555ad9e985830ec0eea8d1a73d925f21f572d71363ae4231ae009de5b46f1
Instruction Fuzzy Hash: 7E01C079A406198FCB41EBA8DC256AE77A0FF88320F244409F511E72D1CF749E05CFA2

Function 00804565 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0080456C
std::_Lockit::_Lockit.LIBCPMT ref: 00804577
std::_Lockit::~_Lockit.LIBCPMT ref: 008045E5

Part of subcall function 00804439: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00804451

std::locale::_Setgloballocale.LIBCPMT ref: 00804592
_Yarn.LIBCPMT ref: 008045A8

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 3c95b8880423f36e762649e98d89994122e862aece8e3e1af1fc17b193e8a0a7
Instruction ID: c31def9191c83055f35b610e258d0a001d1b9e53c7ae2eaa403263085a2fe6c6
Opcode Fuzzy Hash: 3c95b8880423f36e762649e98d89994122e862aece8e3e1af1fc17b193e8a0a7
Instruction Fuzzy Hash: 6E01BCB5A806209FC746AF64EC56A7C7B61FF84740B145008EA02973C1CF38AE42CF82

Function 00801B30 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00801B4A

Strings

ios_base::failbit set, xrefs: 00801ED9
ios_base::badbit set, xrefs: 00801EE4, 00801F02
ios_base::eofbit set, xrefs: 00801ED4

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: _strlen
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 4218353326-1866435925
Opcode ID: ac453cebbd76ec3e2d13ff2b17d1c1a7874d5b93444a7d7a2ed7f1347659a3cb
Instruction ID: 43ec8c08ffa3081cc5ef54016d7302bf23c5df0b52914380b2226be939851eb0
Opcode Fuzzy Hash: ac453cebbd76ec3e2d13ff2b17d1c1a7874d5b93444a7d7a2ed7f1347659a3cb
Instruction Fuzzy Hash: CCC17B352042018FDB54CF28C898B6AB7E1FF89328F55866CE999CB3A1D735EC45CB81

Function 0081EE61 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,0081EEFD,00000000,?,008312F0,?,?,?,0081EE34,00000004,InitializeCriticalSectionEx,00828254,0082825C), ref: 0081EE6E
GetLastError.KERNEL32(?,0081EEFD,00000000,?,008312F0,?,?,?,0081EE34,00000004,InitializeCriticalSectionEx,00828254,0082825C,00000000,?,00813EBC), ref: 0081EE78
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0081EEA0

Strings

api-ms-, xrefs: 0081EE85

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: d7cea6bfec8b2ddfa2b34518a596ee8c6a920cca978791d57a45b0237dfa429d
Instruction ID: 1c0fb7d54d5bfbb4228986548a8e9011e827bde62907253575000223e599984a
Opcode Fuzzy Hash: d7cea6bfec8b2ddfa2b34518a596ee8c6a920cca978791d57a45b0237dfa429d
Instruction Fuzzy Hash: BFE04F32284309FBEB301B61EC0AF993F58FF50B51F208020FE0DE84E1DB71A8918648

Function 0081C20A Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 0081C26D

Part of subcall function 00814321: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00815B71,?,00000000,-00000008), ref: 00814382

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0081C4BF
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0081C505
GetLastError.KERNEL32 ref: 0081C5A8

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 193ebb2a4de9a426d6825573c9f4d7a323a2ba4b43694fc819bf526707fe3627
Instruction ID: 951166383317dbc404a2d7316a821343a4b1c195dd0d2ba4efe3dcb21b940826
Opcode Fuzzy Hash: 193ebb2a4de9a426d6825573c9f4d7a323a2ba4b43694fc819bf526707fe3627
Instruction Fuzzy Hash: 15D17BB5D042589FCF15CFE8D884AEDBBBAFF48314F24416AE426EB351D630A981CB50

Function 0081359B Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00813662
___AdjustPointer.LIBCMT ref: 00813685
___AdjustPointer.LIBCMT ref: 00813721

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: a794f69646f77c246fa05b610b5eef9c6e1f93e4e6dac88547b2002643772e7c
Instruction ID: 5f3ef69e9d72e3dffa10b7a54f4c251e4468fa24024fb7d69722395b0ae651cd
Opcode Fuzzy Hash: a794f69646f77c246fa05b610b5eef9c6e1f93e4e6dac88547b2002643772e7c
Instruction Fuzzy Hash: 4451D1B1604606BFEB298F14D841BEAB7A8FF60710F244429E846C77A1D731AEC0EB51

Function 00803510 Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0080352C
std::_Lockit::_Lockit.LIBCPMT ref: 0080354A
std::_Lockit::~_Lockit.LIBCPMT ref: 0080356C
std::_Lockit::~_Lockit.LIBCPMT ref: 008035DA

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: 71db0c0434feb26de6282423a5b70caf88653334d99107e00222630a622ec264
Instruction ID: 4af53bf78d3a5e3de2d7d6433a150459f346c608ea881e0e58457e46a2a22101
Opcode Fuzzy Hash: 71db0c0434feb26de6282423a5b70caf88653334d99107e00222630a622ec264
Instruction Fuzzy Hash: 1621ADB1A043009FC7A0EF58DC55A2A77A4FF94320F01895DF5898B2A2DB31AE40CF82

Function 0081A036 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00814321: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00815B71,?,00000000,-00000008), ref: 00814382

GetLastError.KERNEL32 ref: 0081A09A
__dosmaperr.LIBCMT ref: 0081A0A1
GetLastError.KERNEL32 ref: 0081A0DB
__dosmaperr.LIBCMT ref: 0081A0E2

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: dcfdf9a0b83dac9d426f2375b670a940f1bf4e9bff15be87c385a81c8686abfc
Instruction ID: b33622e2d161aa51447e1373e541c9fcfd86cde3138135978b86af682406c419
Opcode Fuzzy Hash: dcfdf9a0b83dac9d426f2375b670a940f1bf4e9bff15be87c385a81c8686abfc
Instruction Fuzzy Hash: 3E21A131601A15EFDB24AF69CC408ABB7ADFF083647108429F925D7551DB31ECC08B93

Function 0080B2D2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44af5158cea9c42d3a6b78e82f38236afa210e2eae5ac8908a1a3185e02d254b
Instruction ID: df97901d4b3b74d0513deb88589d2411555f1a5ec1b0bfae94fa76554efe352d
Opcode Fuzzy Hash: 44af5158cea9c42d3a6b78e82f38236afa210e2eae5ac8908a1a3185e02d254b
Instruction Fuzzy Hash: E8219331600609AFDBA0AF758C51D6B77E9FF403687228525F929D76D1E730EC508792

Function 0081B42C Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0081B434

Part of subcall function 00814321: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00815B71,?,00000000,-00000008), ref: 00814382

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0081B46C
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0081B48C

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: ae1ef34bde17888381551794470b503f45f2bff2d6400ef2388061c818157134
Instruction ID: 8bf5a73401250a7838c59dcda10812cba7db3127a10c3a5b220abe89ce9e4677
Opcode Fuzzy Hash: ae1ef34bde17888381551794470b503f45f2bff2d6400ef2388061c818157134
Instruction Fuzzy Hash: 6E1100F55016197EAB2127BA9D8ECFF3E9CFE993987108025F905D2102FB20DDC182B6

Function 00807155 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0080715C
std::_Lockit::_Lockit.LIBCPMT ref: 00807166
int.LIBCPMT ref: 0080717D

Part of subcall function 00804C50: std::_Lockit::_Lockit.LIBCPMT ref: 00804C61
Part of subcall function 00804C50: std::_Lockit::~_Lockit.LIBCPMT ref: 00804C7B

std::_Lockit::~_Lockit.LIBCPMT ref: 008071D7

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID:
API String ID: 1383202999-0
Opcode ID: bc28b081141cd41f9ace4aa01e6cfa4594905830034f1acbcf0a6b77fd24dba4
Instruction ID: a6956f5fb7824f2506614039ccf33b3a3f43da2eee18006665a17005c5826a3f
Opcode Fuzzy Hash: bc28b081141cd41f9ace4aa01e6cfa4594905830034f1acbcf0a6b77fd24dba4
Instruction Fuzzy Hash: 3B11CE71940215CBCB45EBA8DC156AD7760FF84320F254409E921EB2D1CF30AE45CB82

Function 00823310 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,008227FF,00000000,00000001,?,?,?,0081C5FC,?,00000000,00000000), ref: 00823327
GetLastError.KERNEL32(?,008227FF,00000000,00000001,?,?,?,0081C5FC,?,00000000,00000000,?,?,?,0081BF42,?), ref: 00823333

Part of subcall function 00823384: CloseHandle.KERNEL32(FFFFFFFE,00823343,?,008227FF,00000000,00000001,?,?,?,0081C5FC,?,00000000,00000000,?,?), ref: 00823394

___initconout.LIBCMT ref: 00823343

Part of subcall function 00823365: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00823301,008227EC,?,?,0081C5FC,?,00000000,00000000,?), ref: 00823378

WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,008227FF,00000000,00000001,?,?,?,0081C5FC,?,00000000,00000000,?), ref: 00823358

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 880825db6fd8b3f92b84b18b6ad878f0415bd782a3f0a9802d71271639e8f259
Instruction ID: c2bfe2d481d8cf70a3d64a1469fd970023da41de1686c7183c6857ba37a7601d
Opcode Fuzzy Hash: 880825db6fd8b3f92b84b18b6ad878f0415bd782a3f0a9802d71271639e8f259
Instruction Fuzzy Hash: 62F01C37504229BFCF225F99FC1DE8A7F26FB483A0F008010FA1995630CA728A609F91

Function 00808C37 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00808C49
GetCurrentThreadId.KERNEL32 ref: 00808C58
GetCurrentProcessId.KERNEL32 ref: 00808C61
QueryPerformanceCounter.KERNEL32(?), ref: 00808C6E

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 4220f6d3cd1cb2bbd5efd9814bbe524fa2d07ef25198c3bdf259729d4fc24de8
Instruction ID: a46d594004e5d12f4e43114e5ed81c37f19f179ceb348c36ff8256d42dc5197c
Opcode Fuzzy Hash: 4220f6d3cd1cb2bbd5efd9814bbe524fa2d07ef25198c3bdf259729d4fc24de8
Instruction Fuzzy Hash: 73F0B231C0021CEBCB00DBB4CA4998EBBF4FF1C200BA18996A412F7510E730AB05CB50

Function 00813C98 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00813B99,?,?,00000000,00000000,00000000,?), ref: 00813CBD

Strings

RCC, xrefs: 00813CD7
MOC, xrefs: 00813CCF

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: ad8af63a329deb082cc93443e1082f7a073da57e1f308a4e3640cca6e99f38bb
Instruction ID: afbad9b24d3c3790b18247db941919b3f31b39d6e560e3df12b5b6d0f9662997
Opcode Fuzzy Hash: ad8af63a329deb082cc93443e1082f7a073da57e1f308a4e3640cca6e99f38bb
Instruction Fuzzy Hash: 88416871900209EFCF15DF98DD81AEEBBB9FF48304F188099F904A7261D735AA90DB51

Function 00813504 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0081377B

Strings

csm, xrefs: 0081380E
csm, xrefs: 0081379D

Memory Dump Source

Source File: 00000002.00000002.1724525662.0000000000801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000002.00000002.1724506338.0000000000800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724560340.0000000000825000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724581870.000000000082F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724601953.0000000000833000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1724620976.0000000000836000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_800000_Script.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 7c98eb61deae2dcf0447cd889a4742d7fbbc46ccb50945fccf39a1072e008c8c
Instruction ID: 7df859d483f8439bb696ae687b61cce62184c40fc11870606e7abab2d33225c6
Opcode Fuzzy Hash: 7c98eb61deae2dcf0447cd889a4742d7fbbc46ccb50945fccf39a1072e008c8c
Instruction Fuzzy Hash: 153194B2800218ABCF265F55D8449EA7B6DFF05715B18457AFC54CA161C332DEE1DB81

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Script.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
Script.exe

Function 0082F19E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Function 00801730 Relevance: 12.2, APIs: 8, Instructions: 200
fileCOMMON

Function 008151F2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 00801B30 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324
COMMON

Function 0080DA29 Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Function 0080DBBF Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Function 0080DD30 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Function 00802780 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 118
COMMONLIBRARYCODE

Function 0081BE60 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Function 0081C639 Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Function 00815D12 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 00801A80 Relevance: 3.1, APIs: 2, Instructions: 56
COMMON

Function 0080DB41 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON