Edit tour

Windows Analysis Report
Script.exe

Overview

General Information

Sample name:	Script.exe
Analysis ID:	1581537
MD5:	fe5dc1cdefa2fcd27f84353d4f239ab9
SHA1:	11a8741e9913f55b2cc5ded39214fd86cfa249e6
SHA256:	7819e3789ad768375a4685a4c7e6f715ac79226b02c4d60b1d5382772d6a6e48
Tags:	exeuser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Script.exe (PID: 1344 cmdline: "C:\Users\user\Desktop\Script.exe" MD5: FE5DC1CDEFA2FCD27F84353D4F239AB9)

conhost.exe (PID: 4324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Script.exe (PID: 6016 cmdline: "C:\Users\user\Desktop\Script.exe" MD5: FE5DC1CDEFA2FCD27F84353D4F239AB9)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["hummskitnj.buzz", "rebuildeso.buzz", "cashfuzysao.buzz", "mindhandru.buzz", "screwamusresz.buzz", "scentniej.buzz", "inherineau.buzz", "appliacnesot.buzz", "prisonyfork.buzz"], "Build id": "yau6Na--6331801298"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T02:53:59.944827+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	23.55.153.106	443	TCP
2024-12-28T02:54:02.614232+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	104.21.66.86	443	TCP
2024-12-28T02:54:04.005048+0100	2028371	3	Unknown Traffic	192.168.2.4	49735	104.21.66.86	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T02:54:03.424717+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49734	104.21.66.86	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T02:54:03.424717+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49734	104.21.66.86	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appliacnesot .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T02:53:57.497764+0100	2058572	1	Domain Observed Used for C2 Detected	192.168.2.4	49681	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cashfuzysao .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T02:53:57.744541+0100	2058576	1	Domain Observed Used for C2 Detected	192.168.2.4	62389	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hummskitnj .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T02:53:57.973986+0100	2058578	1	Domain Observed Used for C2 Detected	192.168.2.4	55833	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (inherineau .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T02:53:56.954543+0100	2058580	1	Domain Observed Used for C2 Detected	192.168.2.4	59556	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mindhandru .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T02:53:56.034767+0100	2058582	1	Domain Observed Used for C2 Detected	192.168.2.4	51320	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (prisonyfork .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T02:53:56.264951+0100	2058584	1	Domain Observed Used for C2 Detected	192.168.2.4	54948	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebuildeso .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T02:53:56.483294+0100	2058586	1	Domain Observed Used for C2 Detected	192.168.2.4	52952	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scentniej .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T02:53:56.735269+0100	2058588	1	Domain Observed Used for C2 Detected	192.168.2.4	64878	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (screwamusresz .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T02:53:57.196839+0100	2058590	1	Domain Observed Used for C2 Detected	192.168.2.4	62956	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T02:54:00.772348+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.4	49733	23.55.153.106	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://inherineau.buzz:443/api	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/T8	Avira URL Cloud: Label: malware
Source: https://scentniej.buzz:443/api	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/apip	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/vo	Avira URL Cloud: Label: malware
Source: https://screwamusresz.buzz:443/api	Avira URL Cloud: Label: malware
Source: https://cashfuzysao.buzz:443/api	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1657808262.0000000005121000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["hummskitnj.buzz", "rebuildeso.buzz", "cashfuzysao.buzz", "mindhandru.buzz", "screwamusresz.buzz", "scentniej.buzz", "inherineau.buzz", "appliacnesot.buzz", "prisonyfork.buzz"], "Build id": "yau6Na--6331801298"}

Multi AV Scanner detection for submitted file

Source: Script.exe	Virustotal: Detection: 41%			Perma Link
Source: Script.exe	ReversingLabs: Detection: 36%

Machine Learning detection for sample

Source: Script.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1657808262.0000000005121000.00000004.00000020.00020000.00000000.sdmp	String decryptor: hummskitnj.buzz
Source: 00000000.00000002.1657808262.0000000005121000.00000004.00000020.00020000.00000000.sdmp	String decryptor: cashfuzysao.buzz
Source: 00000000.00000002.1657808262.0000000005121000.00000004.00000020.00020000.00000000.sdmp	String decryptor: appliacnesot.buzz
Source: 00000000.00000002.1657808262.0000000005121000.00000004.00000020.00020000.00000000.sdmp	String decryptor: screwamusresz.buzz
Source: 00000000.00000002.1657808262.0000000005121000.00000004.00000020.00020000.00000000.sdmp	String decryptor: inherineau.buzz
Source: 00000000.00000002.1657808262.0000000005121000.00000004.00000020.00020000.00000000.sdmp	String decryptor: scentniej.buzz
Source: 00000000.00000002.1657808262.0000000005121000.00000004.00000020.00020000.00000000.sdmp	String decryptor: rebuildeso.buzz
Source: 00000000.00000002.1657808262.0000000005121000.00000004.00000020.00020000.00000000.sdmp	String decryptor: prisonyfork.buzz
Source: 00000000.00000002.1657808262.0000000005121000.00000004.00000020.00020000.00000000.sdmp	String decryptor: mindhandru.buzz
Source: 00000000.00000002.1657808262.0000000005121000.00000004.00000020.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1657808262.0000000005121000.00000004.00000020.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1657808262.0000000005121000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1657808262.0000000005121000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1657808262.0000000005121000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1657808262.0000000005121000.00000004.00000020.00020000.00000000.sdmp	String decryptor: yau6Na--6331801298

Source: Script.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49734 version: TLS 1.2

Source: C:\Users\user\Desktop\Script.exe

Code function: 0_2_00B11FE9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,

0_2_00B11FE9

Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 37A3DD63h	2_2_0043DC6A
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 385488F2h	2_2_0043DE17
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebp+04h]	2_2_00439000
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then jmp eax	2_2_00439000
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov edi, eax	2_2_00408820
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov byte ptr [edx], al	2_2_004090D0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+40h]	2_2_004260DD
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_00435880
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov dword ptr [esp+08h], ebp	2_2_00426090
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	2_2_00417097
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov dword ptr [ebp-14h], eax	2_2_0041409E
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 138629C0h	2_2_004160AC
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-2341DD72h]	2_2_0040D94C
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 088030A7h	2_2_00419970
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 11A82DE9h	2_2_00419970
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 11A82DE9h	2_2_00419970
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 6E87DD67h	2_2_00419970
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 6E87DD67h	2_2_00419970
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 798ECF08h	2_2_00419970
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 11A82DE9h	2_2_00419970
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	2_2_00419970
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+24h]	2_2_00427170
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+ecx-62h]	2_2_0041417E
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_0042A900
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 8AE4A158h	2_2_0041613C
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E0A81160h	2_2_004169C0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov ecx, eax	2_2_004169C0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then lea eax, dword ptr [esp+28h]	2_2_004239C0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+26h]	2_2_0041D9D0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov ecx, eax	2_2_00427190
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov dword ptr [esi], 00000022h	2_2_0042A9A0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+72h]	2_2_004289B1
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov word ptr [ecx], si	2_2_0041CA48
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+40h]	2_2_004260DD
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov edx, ecx	2_2_0042DA08
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov word ptr [eax], dx	2_2_00415216
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov word ptr [ecx], si	2_2_0041CA31
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov eax, dword ptr [ebp-34h]	2_2_00414230
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then jmp dword ptr [004460D4h]	2_2_00414230
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov eax, dword ptr [ebp-34h]	2_2_00414230
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then jmp dword ptr [004460D4h]	2_2_00414230
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ebp+10h]	2_2_00439280
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov edi, edx	2_2_00439280
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then test eax, eax	2_2_00439280
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov edx, dword ptr [eax]	2_2_00439280
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov ecx, edx	2_2_0040AAA0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then inc ebx	2_2_004222A2
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov edx, ecx	2_2_0042D2BA
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then jmp eax	2_2_00429B82
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_0042BB6C
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then add eax, ebx	2_2_0042CB6D
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov ecx, eax	2_2_0043E372
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp byte ptr [edi+eax+01h], 00000000h	2_2_00427BEA
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then jmp eax	2_2_00429B82
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then lea eax, dword ptr [esp+28h]	2_2_00423B80
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov ecx, eax	2_2_00421B90
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-000000DAh]	2_2_00429BB6
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-000000DAh]	2_2_00429BB6
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov ecx, eax	2_2_0042546B
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov edi, dword ptr [0044A38Ch]	2_2_00409C3D
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx ebp, word ptr [eax]	2_2_0043FCD0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov ecx, eax	2_2_00429CF0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then jmp dword ptr [00447D28h]	2_2_00428C9B
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+4B939B60h]	2_2_00428C9B
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	2_2_00407540
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	2_2_00407540
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov ecx, eax	2_2_0042BD50
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov word ptr [esi], ax	2_2_0041850C
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_0041AD3D
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0041C5C0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 120360DAh	2_2_00415DC6
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_0042CD97
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov ecx, eax	2_2_00416DA0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+00000158h]	2_2_0042DDAB
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov ecx, eax	2_2_00408E50
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov ecx, eax	2_2_00408E50
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [edi+ebx*8], 9EB5184Bh	2_2_00416600
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov edx, ecx	2_2_00416600
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], C50B4B65h	2_2_00416600
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	2_2_00416600
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	2_2_00416600
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [edi+ebx*8], 9EB5184Bh	2_2_00416600
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov edx, ecx	2_2_00416600
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], C50B4B65h	2_2_00416600
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	2_2_00416600
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	2_2_00416600
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h	2_2_0041BE10
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov word ptr [esi], ax	2_2_00417E2E
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-000000C4h]	2_2_00429E35
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-000000C4h]	2_2_00429E35
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	2_2_0042AED0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx-3A6ED29Dh]	2_2_0043E6DB
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+38h]	2_2_0040CEDB
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov byte ptr [edi], bl	2_2_0040DEBE
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov byte ptr [edi], bl	2_2_0040DEBE
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then push ebp	2_2_0040BF63
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 385488F2h	2_2_00439760
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53BABCE5h	2_2_0040D715
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then lea eax, dword ptr [esp+28h]	2_2_00423720
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	2_2_00416FC1
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-000000DAh]	2_2_004297C1
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx esi, byte ptr [edx]	2_2_00428FD0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [edi+ebx*8], 9EB5184Bh	2_2_00416600
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov edx, ecx	2_2_00416600
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], C50B4B65h	2_2_00416600
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	2_2_00416600
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	2_2_00416600
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [edi+ebx*8], 9EB5184Bh	2_2_00416600
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov edx, ecx	2_2_00416600
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], C50B4B65h	2_2_00416600
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	2_2_00416600
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	2_2_00416600
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-000000DAh]	2_2_004297C1
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx edx, byte ptr [esi]	2_2_0043FFB0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx ebp, word ptr [eax]	2_2_0043FFB0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058584 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (prisonyfork .buzz) : 192.168.2.4:54948 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058578 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hummskitnj .buzz) : 192.168.2.4:55833 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058572 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appliacnesot .buzz) : 192.168.2.4:49681 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058582 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mindhandru .buzz) : 192.168.2.4:51320 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058588 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scentniej .buzz) : 192.168.2.4:64878 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058576 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cashfuzysao .buzz) : 192.168.2.4:62389 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058580 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (inherineau .buzz) : 192.168.2.4:59556 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058586 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebuildeso .buzz) : 192.168.2.4:52952 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058590 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (screwamusresz .buzz) : 192.168.2.4:62956 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49734 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49734 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49733 -> 23.55.153.106:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: hummskitnj.buzz
Source: Malware configuration extractor	URLs: rebuildeso.buzz
Source: Malware configuration extractor	URLs: cashfuzysao.buzz
Source: Malware configuration extractor	URLs: mindhandru.buzz
Source: Malware configuration extractor	URLs: screwamusresz.buzz
Source: Malware configuration extractor	URLs: scentniej.buzz
Source: Malware configuration extractor	URLs: inherineau.buzz
Source: Malware configuration extractor	URLs: appliacnesot.buzz
Source: Malware configuration extractor	URLs: prisonyfork.buzz

Source: Joe Sandbox View	IP Address: 104.21.66.86 104.21.66.86
Source: Joe Sandbox View	IP Address: 23.55.153.106 23.55.153.106

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 23.55.153.106:443

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: Script.exe, 00000002.00000003.1707664301.00000000035DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https equals www.youtube.com (Youtube)
Source: Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=c35ab4558d34b4bb773fab85; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35121Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveSat, 28 Dec 2024 01:54:00 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: Script.exe, 00000002.00000003.1737719815.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738211908.000000000357F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com&LBp equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: mindhandru.buzz
Source: global traffic	DNS traffic detected: DNS query: prisonyfork.buzz
Source: global traffic	DNS traffic detected: DNS query: rebuildeso.buzz
Source: global traffic	DNS traffic detected: DNS query: scentniej.buzz
Source: global traffic	DNS traffic detected: DNS query: inherineau.buzz
Source: global traffic	DNS traffic detected: DNS query: screwamusresz.buzz
Source: global traffic	DNS traffic detected: DNS query: appliacnesot.buzz
Source: global traffic	DNS traffic detected: DNS query: cashfuzysao.buzz
Source: global traffic	DNS traffic detected: DNS query: hummskitnj.buzz
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: lev-tolstoi.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com

Source: Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: Script.exe	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: Script.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Script.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Script.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: Script.exe	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: Script.exe, 00000002.00000002.1738286637.0000000003596000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707844195.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737812473.0000000003595000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.verisign.
Source: Script.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Script.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Script.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Script.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: Script.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: Script.exe	String found in binary or memory: http://ocsp.entrust.net02
Source: Script.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: Script.exe, 00000002.00000003.1707664301.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738330508.0000000003602000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: Script.exe, 00000002.00000003.1707664301.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738330508.0000000003602000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: Script.exe, 00000002.00000003.1707664301.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738330508.0000000003602000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Script.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Script.exe	String found in binary or memory: http://www.entrust.net/rpa03
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: Script.exe, 00000002.00000002.1738286637.0000000003596000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707844195.0000000003595000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707664301.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737812473.0000000003595000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appliacnesot.buzz:443/api
Source: Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738211908.000000000357F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: Script.exe, 00000002.00000002.1738286637.0000000003596000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707844195.0000000003595000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707664301.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737812473.0000000003595000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cashfuzysao.buzz:443/api
Source: Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738211908.000000000357F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738211908.000000000357F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738211908.000000000357F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: Script.exe, 00000002.00000003.1707664301.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: Script.exe, 00000002.00000003.1707664301.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: Script.exe, 00000002.00000003.1707664301.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738330508.0000000003602000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: Script.exe, 00000002.00000003.1707664301.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: Script.exe, 00000002.00000003.1707664301.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
Source: Script.exe, 00000002.00000003.1707664301.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&l=e
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738211908.000000000357F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: Script.exe, 00000002.00000002.1738286637.0000000003596000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707844195.0000000003595000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707664301.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737812473.0000000003595000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hummskitnj.buzz:443/api
Source: Script.exe, 00000002.00000002.1738286637.0000000003596000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707844195.0000000003595000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707664301.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737812473.0000000003595000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://inherineau.buzz:443/api
Source: Script.exe, 00000002.00000003.1737812473.0000000003595000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/
Source: Script.exe, 00000002.00000002.1738286637.0000000003596000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737812473.0000000003595000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/T8
Source: Script.exe, 00000002.00000003.1737812473.0000000003595000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api
Source: Script.exe, 00000002.00000002.1738286637.0000000003596000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737812473.0000000003595000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/apip
Source: Script.exe, 00000002.00000002.1738211908.0000000003562000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/pi
Source: Script.exe, 00000002.00000002.1738286637.0000000003596000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737812473.0000000003595000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/vo
Source: Script.exe, 00000002.00000002.1738286637.0000000003596000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737812473.0000000003595000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com:443/api
Source: Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738211908.000000000357F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: Script.exe, 00000002.00000002.1738286637.0000000003596000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707844195.0000000003595000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707664301.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737812473.0000000003595000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://scentniej.buzz:443/api
Source: Script.exe, 00000002.00000002.1738286637.0000000003596000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707844195.0000000003595000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707664301.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737812473.0000000003595000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://screwamusresz.buzz:443/api
Source: Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738211908.000000000357F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738211908.000000000357F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738211908.000000000357F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738211908.000000000357F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/FLz
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: Script.exe, 00000002.00000003.1707664301.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738330508.0000000003602000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: Script.exe, 00000002.00000003.1707664301.0000000003562000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707664301.0000000003559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: Script.exe, 00000002.00000003.1707664301.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: Script.exe, 00000002.00000003.1707664301.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738330508.0000000003602000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: Script.exe, 00000002.00000003.1707664301.0000000003562000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900k
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: Script.exe, 00000002.00000002.1738286637.0000000003596000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707844195.0000000003595000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707664301.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737812473.0000000003595000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: Script.exe, 00000002.00000003.1707664301.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738330508.0000000003602000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: Script.exe	String found in binary or memory: https://www.entrust.net/rpa0
Source: Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Script.exe, 00000002.00000003.1737719815.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738211908.000000000357F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com&LB
Source: Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738211908.000000000357F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.4:49734 version: TLS 1.2

Source: C:\Users\user\Desktop\Script.exe

Code function: 2_2_00433440 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_00433440

Source: C:\Users\user\Desktop\Script.exe

Code function: 2_2_00433440 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_00433440

Source: C:\Users\user\Desktop\Script.exe

Code function: 2_2_00433650 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

2_2_00433650

Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_00AF1000	0_2_00AF1000
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_00AFF555	0_2_00AFF555
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_00B17792	0_2_00B17792
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_00B09CC0	0_2_00B09CC0
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_00B15C5E	0_2_00B15C5E
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_00B03FB2	0_2_00B03FB2
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0040B0BC	2_2_0040B0BC
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00421840	2_2_00421840
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00439000	2_2_00439000
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00408820	2_2_00408820
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0040F838	2_2_0040F838
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004188C8	2_2_004188C8
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004090D0	2_2_004090D0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004260DD	2_2_004260DD
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041D090	2_2_0041D090
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00426090	2_2_00426090
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041409E	2_2_0041409E
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00403940	2_2_00403940
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00419970	2_2_00419970
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00423171	2_2_00423171
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0042C176	2_2_0042C176
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00439900	2_2_00439900
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00405910	2_2_00405910
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00430917	2_2_00430917
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004169C0	2_2_004169C0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004239C0	2_2_004239C0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004291C7	2_2_004291C7
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041D9D0	2_2_0041D9D0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004331D0	2_2_004331D0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00427190	2_2_00427190
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041F1A7	2_2_0041F1A7
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00417A7E	2_2_00417A7E
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004260DD	2_2_004260DD
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0042DA08	2_2_0042DA08
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00415216	2_2_00415216
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004082C0	2_2_004082C0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00439AC2	2_2_00439AC2
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004062D0	2_2_004062D0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004042F0	2_2_004042F0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00436AF0	2_2_00436AF0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004402F0	2_2_004402F0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00411A80	2_2_00411A80
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00439280	2_2_00439280
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00431290	2_2_00431290
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0040AAA0	2_2_0040AAA0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004222A2	2_2_004222A2
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043F2B0	2_2_0043F2B0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00422B52	2_2_00422B52
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00422B70	2_2_00422B70
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00437B70	2_2_00437B70
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043F3D0	2_2_0043F3D0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004383E0	2_2_004383E0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00427BEA	2_2_00427BEA
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043F3EB	2_2_0043F3EB
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043F3E9	2_2_0043F3E9
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00402B80	2_2_00402B80
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00421B90	2_2_00421B90
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0042B3A0	2_2_0042B3A0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00433440	2_2_00433440
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043EC6B	2_2_0043EC6B
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0042546B	2_2_0042546B
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0042EC18	2_2_0042EC18
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00423C26	2_2_00423C26
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043BC30	2_2_0043BC30
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043FCD0	2_2_0043FCD0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00426C90	2_2_00426C90
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00428C9B	2_2_00428C9B
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041D4A0	2_2_0041D4A0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00407540	2_2_00407540
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00425D70	2_2_00425D70
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041850C	2_2_0041850C
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00428513	2_2_00428513
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00430D16	2_2_00430D16
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043C520	2_2_0043C520
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043652F	2_2_0043652F
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043F530	2_2_0043F530
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041CDC0	2_2_0041CDC0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00415DC6	2_2_00415DC6
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004095D0	2_2_004095D0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00437DD0	2_2_00437DD0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0042CD97	2_2_0042CD97
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0042BDB3	2_2_0042BDB3
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043F5B0	2_2_0043F5B0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043F650	2_2_0043F650
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00416600	2_2_00416600
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041BE10	2_2_0041BE10
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00417E2E	2_2_00417E2E
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00429E35	2_2_00429E35
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0042AED0	2_2_0042AED0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00440680	2_2_00440680
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0040DEBE	2_2_0040DEBE
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00402F40	2_2_00402F40
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00406760	2_2_00406760
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00438760	2_2_00438760
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00417707	2_2_00417707
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00423720	2_2_00423720
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0041D7C0	2_2_0041D7C0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00416600	2_2_00416600
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00432F80	2_2_00432F80
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00410FAE	2_2_00410FAE
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043FFB0	2_2_0043FFB0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00AF1000	2_2_00AF1000
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00AFF555	2_2_00AFF555
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00B17792	2_2_00B17792
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00B09CC0	2_2_00B09CC0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00B15C5E	2_2_00B15C5E
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00B03FB2	2_2_00B03FB2

Source: C:\Users\user\Desktop\Script.exe	Code function: String function: 00AFFA60 appears 100 times
Source: C:\Users\user\Desktop\Script.exe	Code function: String function: 00B080F8 appears 42 times
Source: C:\Users\user\Desktop\Script.exe	Code function: String function: 004080D0 appears 52 times
Source: C:\Users\user\Desktop\Script.exe	Code function: String function: 00AFFAE4 appears 34 times
Source: C:\Users\user\Desktop\Script.exe	Code function: String function: 00B00730 appears 38 times
Source: C:\Users\user\Desktop\Script.exe	Code function: String function: 00B0CFD6 appears 40 times
Source: C:\Users\user\Desktop\Script.exe	Code function: String function: 00414050 appears 67 times

Source: Script.exe

Static PE information: invalid certificate

Source: Script.exe, 00000000.00000000.1650369445.0000000000B7E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs Script.exe
Source: Script.exe, 00000000.00000002.1657808262.0000000005121000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs Script.exe
Source: Script.exe, 00000002.00000000.1657141748.0000000000B7E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs Script.exe
Source: Script.exe, 00000002.00000003.1657453204.0000000005018000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs Script.exe
Source: Script.exe	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs Script.exe

Source: Script.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Script.exe

Static PE information: Section: .bss ZLIB complexity 1.0003260588842975

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/1@11/2

Source: C:\Users\user\Desktop\Script.exe

Code function: 2_2_0042E0F0 CoCreateInstance,

2_2_0042E0F0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4324:120:WilError_03

Source: Script.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Script.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Script.exe	Virustotal: Detection: 41%
Source: Script.exe	ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\Script.exe

File read: C:\Users\user\Desktop\Script.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Script.exe "C:\Users\user\Desktop\Script.exe"
Source: C:\Users\user\Desktop\Script.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Script.exe	Process created: C:\Users\user\Desktop\Script.exe "C:\Users\user\Desktop\Script.exe"
Source: C:\Users\user\Desktop\Script.exe	Process created: C:\Users\user\Desktop\Script.exe "C:\Users\user\Desktop\Script.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Script.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Script.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Script.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Script.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Script.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Script.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: Script.exe

Static PE information: real checksum: 0x91221 should be: 0x9b310

Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_00AFFB83 push ecx; ret	0_2_00AFFB96
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043C040 push eax; mov dword ptr [esp], F6F7F0F1h	2_2_0043C04F
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_0043F250 push eax; mov dword ptr [esp], EEE9E8BBh	2_2_0043F252
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00443B27 push edx; retf	2_2_00443B2A
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_004465A4 push edi; retf 0041h	2_2_004465A5
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00AFFB83 push ecx; ret	2_2_00AFFB96

Source: C:\Users\user\Desktop\Script.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-22548

Source: C:\Users\user\Desktop\Script.exe

API coverage: 4.3 %

Source: C:\Users\user\Desktop\Script.exe TID: 3168	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Script.exe TID: 2008	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Script.exe

Code function: 0_2_00B11FE9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,

0_2_00B11FE9

Source: Script.exe, 00000002.00000002.1738286637.0000000003596000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707844195.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737812473.0000000003595000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Script.exe, 00000002.00000002.1738286637.0000000003596000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707844195.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737812473.0000000003595000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWF
Source: Script.exe, 00000002.00000002.1738160800.000000000354C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`

Source: C:\Users\user\Desktop\Script.exe

Code function: 2_2_0043D970 LdrInitializeThunk,

2_2_0043D970

Source: C:\Users\user\Desktop\Script.exe

Code function: 0_2_00AFF8E9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00AFF8E9

Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_00B2A19E mov edi, dword ptr fs:[00000030h]	0_2_00B2A19E
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_00AF1FB0 mov edi, dword ptr fs:[00000030h]	0_2_00AF1FB0
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00AF1FB0 mov edi, dword ptr fs:[00000030h]	2_2_00AF1FB0

Source: C:\Users\user\Desktop\Script.exe

Code function: 0_2_00B0D8E0 GetProcessHeap,

0_2_00B0D8E0

Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_00AFF52D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00AFF52D
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_00AFF8E9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00AFF8E9
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_00AFF8DD SetUnhandledExceptionFilter,	0_2_00AFF8DD
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_00B07E30 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B07E30
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00AFF52D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00AFF52D
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00AFF8E9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00AFF8E9
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00AFF8DD SetUnhandledExceptionFilter,	2_2_00AFF8DD
Source: C:\Users\user\Desktop\Script.exe	Code function: 2_2_00B07E30 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00B07E30

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Script.exe

Code function: 0_2_00B2A19E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_00B2A19E

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Script.exe

Memory written: C:\Users\user\Desktop\Script.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Script.exe, 00000000.00000002.1657808262.0000000005121000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: hummskitnj.buzz
Source: Script.exe, 00000000.00000002.1657808262.0000000005121000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: cashfuzysao.buzz
Source: Script.exe, 00000000.00000002.1657808262.0000000005121000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: appliacnesot.buzz
Source: Script.exe, 00000000.00000002.1657808262.0000000005121000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: screwamusresz.buzz
Source: Script.exe, 00000000.00000002.1657808262.0000000005121000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: inherineau.buzz
Source: Script.exe, 00000000.00000002.1657808262.0000000005121000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: scentniej.buzz
Source: Script.exe, 00000000.00000002.1657808262.0000000005121000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: rebuildeso.buzz
Source: Script.exe, 00000000.00000002.1657808262.0000000005121000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: prisonyfork.buzz
Source: Script.exe, 00000000.00000002.1657808262.0000000005121000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: mindhandru.buzz

Source: C:\Users\user\Desktop\Script.exe

Process created: C:\Users\user\Desktop\Script.exe "C:\Users\user\Desktop\Script.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Script.exe	Code function: EnumSystemLocalesW,	0_2_00B0D1BD
Source: C:\Users\user\Desktop\Script.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00B11287
Source: C:\Users\user\Desktop\Script.exe	Code function: EnumSystemLocalesW,	0_2_00B114D8
Source: C:\Users\user\Desktop\Script.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00B11580
Source: C:\Users\user\Desktop\Script.exe	Code function: EnumSystemLocalesW,	0_2_00B117D3
Source: C:\Users\user\Desktop\Script.exe	Code function: GetLocaleInfoW,	0_2_00B11840
Source: C:\Users\user\Desktop\Script.exe	Code function: EnumSystemLocalesW,	0_2_00B11915
Source: C:\Users\user\Desktop\Script.exe	Code function: GetLocaleInfoW,	0_2_00B11960
Source: C:\Users\user\Desktop\Script.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00B11A07
Source: C:\Users\user\Desktop\Script.exe	Code function: GetLocaleInfoW,	0_2_00B11B0D
Source: C:\Users\user\Desktop\Script.exe	Code function: GetLocaleInfoW,	0_2_00B0CC15
Source: C:\Users\user\Desktop\Script.exe	Code function: EnumSystemLocalesW,	2_2_00B0D1BD
Source: C:\Users\user\Desktop\Script.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00B11287
Source: C:\Users\user\Desktop\Script.exe	Code function: EnumSystemLocalesW,	2_2_00B114D8
Source: C:\Users\user\Desktop\Script.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_00B11580
Source: C:\Users\user\Desktop\Script.exe	Code function: EnumSystemLocalesW,	2_2_00B117D3
Source: C:\Users\user\Desktop\Script.exe	Code function: GetLocaleInfoW,	2_2_00B11840
Source: C:\Users\user\Desktop\Script.exe	Code function: EnumSystemLocalesW,	2_2_00B11915
Source: C:\Users\user\Desktop\Script.exe	Code function: GetLocaleInfoW,	2_2_00B11960
Source: C:\Users\user\Desktop\Script.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_00B11A07
Source: C:\Users\user\Desktop\Script.exe	Code function: GetLocaleInfoW,	2_2_00B11B0D
Source: C:\Users\user\Desktop\Script.exe	Code function: GetLocaleInfoW,	2_2_00B0CC15

Source: C:\Users\user\Desktop\Script.exe

Code function: 0_2_00B000B4 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,

0_2_00B000B4

Source: C:\Users\user\Desktop\Script.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	211 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Script.exe	42%	Virustotal		Browse
Script.exe	37%	ReversingLabs	Win32.Trojan.LummaC
Script.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://inherineau.buzz:443/api	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/T8	100%	Avira URL Cloud	malware
https://scentniej.buzz:443/api	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/apip	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/vo	100%	Avira URL Cloud	malware
https://www.google.com&LB	0%	Avira URL Cloud	safe
https://screwamusresz.buzz:443/api	100%	Avira URL Cloud	malware
https://cashfuzysao.buzz:443/api	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	23.55.153.106	true	false	high
lev-tolstoi.com	104.21.66.86	true	false	high
cashfuzysao.buzz	unknown	unknown	true	unknown
scentniej.buzz	unknown	unknown	true	unknown
inherineau.buzz	unknown	unknown	true	unknown
prisonyfork.buzz	unknown	unknown	false	high
rebuildeso.buzz	unknown	unknown	true	unknown
appliacnesot.buzz	unknown	unknown	true	unknown
hummskitnj.buzz	unknown	unknown	true	unknown
mindhandru.buzz	unknown	unknown	false	high
screwamusresz.buzz	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
scentniej.buzz	false	high
https://steamcommunity.com/profiles/76561199724331900	false	high
rebuildeso.buzz	false	high
appliacnesot.buzz	false	high
screwamusresz.buzz	false	high
cashfuzysao.buzz	false	high
inherineau.buzz	false	high
https://lev-tolstoi.com/api	false	high
hummskitnj.buzz	false	high
mindhandru.buzz	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://player.vimeo.com	Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/?subsection=broadcasts	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/subscriber_agreement/	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.gstatic.cn/recaptcha/	Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.valvesoftware.com/legal.htm	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com	Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738211908.000000000357F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	Script.exe, 00000002.00000003.1707664301.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738211908.000000000357F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://s.ytimg.com;	Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi	Script.exe, 00000002.00000003.1707664301.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	Script.exe, 00000002.00000003.1707664301.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738330508.0000000003602000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://inherineau.buzz:443/api	Script.exe, 00000002.00000002.1738286637.0000000003596000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707844195.0000000003595000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707664301.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737812473.0000000003595000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/	Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738211908.000000000357F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steam.tv/	Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738211908.000000000357F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/T8	Script.exe, 00000002.00000002.1738286637.0000000003596000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737812473.0000000003595000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.entrust.net/rpa03	Script.exe	false		high
https://lev-tolstoi.com/	Script.exe, 00000002.00000003.1737812473.0000000003595000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/privacy_agreement/	Script.exe, 00000002.00000003.1707664301.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738330508.0000000003602000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com:443/profiles/76561199724331900	Script.exe, 00000002.00000002.1738286637.0000000003596000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707844195.0000000003595000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707664301.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737812473.0000000003595000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop/	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sketchfab.com	Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900/inventory/	Script.exe, 00000002.00000003.1707664301.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738330508.0000000003602000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/privacy_agreement/	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738211908.000000000357F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com&LB	Script.exe, 00000002.00000003.1737719815.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738211908.000000000357F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.verisign.	Script.exe, 00000002.00000002.1738286637.0000000003596000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707844195.00000000035AA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737812473.0000000003595000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	Script.exe	false		high
https://store.steampowered.com/;	Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.entrust.net/rpa0	Script.exe	false		high
https://store.steampowered.com/about/	Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/my/wishlist/	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.entrust.net03	Script.exe	false		high
http://ocsp.entrust.net02	Script.exe	false		high
https://help.steampowered.com/en/	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://screwamusresz.buzz:443/api	Script.exe, 00000002.00000002.1738286637.0000000003596000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707844195.0000000003595000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707664301.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737812473.0000000003595000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/market/	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/apip	Script.exe, 00000002.00000002.1738286637.0000000003596000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737812473.0000000003595000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://store.steampowered.com/subscriber_agreement/	Script.exe, 00000002.00000003.1707664301.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738330508.0000000003602000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	Script.exe, 00000002.00000003.1707664301.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738330508.0000000003602000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net/recaptcha/;	Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/discussions/	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/stats/	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://medal.tv	Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://broadcast.st.dl.eccdnx.com	Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738211908.000000000357F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/steam_refunds/	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a	Script.exe, 00000002.00000003.1707664301.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.entrust.net/ts1ca.crl0	Script.exe	false		high
https://steamcommunity.com/workshop/	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.steampowered.com/	Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738211908.000000000357F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb	Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	Script.exe, 00000002.00000003.1707664301.0000000003559000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000002.1738330508.0000000003602000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/vo	Script.exe, 00000002.00000002.1738286637.0000000003596000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737812473.0000000003595000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900k	Script.exe, 00000002.00000003.1707664301.0000000003562000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://scentniej.buzz:443/api	Script.exe, 00000002.00000002.1738286637.0000000003596000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707844195.0000000003595000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707664301.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737812473.0000000003595000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://recaptcha.net	Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://aia.entrust.net/ts1-chain256.cer01	Script.exe	false		high
https://store.steampowered.com/	Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&l=e	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cashfuzysao.buzz:443/api	Script.exe, 00000002.00000002.1738286637.0000000003596000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707844195.0000000003595000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707664301.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737719815.0000000003594000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1737812473.0000000003595000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	Script.exe, 00000002.00000003.1707621128.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1732203849.00000000035FA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://127.0.0.1:27060	Script.exe, 00000002.00000003.1707664301.000000000357F000.00000004.00000020.00020000.00000000.sdmp, Script.exe, 00000002.00000003.1707621128.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.66.86	lev-tolstoi.com	United States		13335	CLOUDFLARENETUS	false
23.55.153.106	steamcommunity.com	United States		20940	AKAMAI-ASN1EU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581537
Start date and time:	2024-12-28 02:53:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Script.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/1@11/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 37 Number of non-executed functions: 179
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:53:55	API Interceptor	7x Sleep call for process: Script.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.66.86	MV ROCKET_PDA.exe	Get hash	malicious	FormBook	Browse	www.ayushigangwar.com/nqn4/?CJBlp=0Brh6Vr8UbBX&T2MpwT=59bmqUDXor7TXV4b71NCQ0d0nCVif23i1yH5+9ZmJc5hgCU7y+ZN9z0btTsWzGv6OrGw
23.55.153.106	Neverlose.cc-unpadded.exe	Get hash	malicious	LummaC	Browse
	Aura.exe	Get hash	malicious	LummaC	Browse
	Aura.exe	Get hash	malicious	LummaC	Browse
	Installer.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	w22319us3M.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse
	T4qO1i2Jav.exe	Get hash	malicious	LummaC Stealer	Browse
	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse
	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse
	k0ukcEH.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
lev-tolstoi.com	Aura.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	Installer.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	ForcesLangi.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	Leside-.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	Vq50tK1Nx2.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	IzDjbVdHha.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	T4qO1i2Jav.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.157.254
	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.66.86
	k0ukcEH.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
steamcommunity.com	Neverlose.cc-unpadded.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Aura.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Aura.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Installer.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Installer.exe	Get hash	malicious	LummaC	Browse	104.121.10.34
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	ForcesLangi.exe	Get hash	malicious	LummaC	Browse	92.122.104.90
	Leside-.exe	Get hash	malicious	LummaC	Browse	92.122.104.90
	Setup.exe	Get hash	malicious	Unknown	Browse	104.121.10.34
	Setup.exe	Get hash	malicious	Unknown	Browse	23.55.153.106

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASN1EU	Neverlose.cc-unpadded.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Aura.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Aura.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Installer.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Setup.exe	Get hash	malicious	Unknown	Browse	23.55.153.106
	w22319us3M.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	23.55.153.106
	T4qO1i2Jav.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	grand-theft-auto-5-theme-1-installer_qb8W-j1.exe	Get hash	malicious	Unknown	Browse	184.85.182.130
CLOUDFLARENETUS	48.252.190.9.zip	Get hash	malicious	Unknown	Browse	104.21.95.219
	https://haleborealis.com	Get hash	malicious	Unknown	Browse	104.22.72.81
	External2.4.exe	Get hash	malicious	LummaC	Browse	104.21.29.252
	Aura.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	soft 1.14.exe	Get hash	malicious	Meduza Stealer	Browse	104.26.13.205
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.30.13
	https://www.dropbox.com/scl/fi/lncgsm76k7l5ix7fuu5t6/2024-OK-House-Outreach.pdf?rlkey=o4qr50zpdw1z14o6ikdg6zjt8&st=lrloyzlo&dl=0	Get hash	malicious	Unknown	Browse	172.67.216.74
	New Upd v1.1.0.exe	Get hash	malicious	LummaC	Browse	104.21.92.91
	WonderHack.exe	Get hash	malicious	LummaC	Browse	104.21.30.13
	Installer.exe	Get hash	malicious	LummaC	Browse	104.21.66.86

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Neverlose.cc-unpadded.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106
	External2.4.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106
	Aura.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106
	Aura.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106
	New Upd v1.1.0.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106
	WonderHack.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106
	Installer.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106
	Installer.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106

Dropped Files

⊘No context

Created / dropped Files

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\Script.exe
File Type:	assembler source, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	14402
Entropy (8bit):	4.874636730022465
Encrypted:	false
SSDEEP:	384:vlICCmV5fTMzsM3qlICCmV5fTMzsM3ip9guFx2rBhiLfmfU:vGCC+dMOGCC+dMY9guFx2rBo
MD5:	DF0EFD0545733561C6E165770FB3661C
SHA1:	0F3AD477176CF235C6C59EE2EB15D81DCB6178A8
SHA-256:	A434B406E97A2C892FA88C3975D8181EBEA62A8DA919C5221409E425DF50FD17
SHA-512:	3FF527435BC8BCF2640E0B64725CC0DB8A801D912698D4D94C44200529268B80AA7B59A2E2A2EA6C4621E09AA249AAA3583A8D90E4F5D7B68E0E6FFFEB759918
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	AcquireSRWLockExclusive..AcquireSRWLockShared..ActivateActCtx..ActivateActCtxWorker..AddAtomA..AddAtomW..AddConsoleAliasA..AddConsoleAliasW..AddDllDirectory..AddIntegrityLabelToBoundaryDescriptor..AddLocalAlternateComputerNameA..AddLocalAlternateComputerNameW..AddRefActCtx..AddRefActCtxWorker..AddResourceAttributeAce..AddSIDToBoundaryDescriptor..AddScopedPolicyIDAce..AddSecureMemoryCacheCallback..AddVectoredContinueHandler..AddVectoredExceptionHandler..AdjustCalendarDate..AllocConsole..AllocateUserPhysicalPages..AllocateUserPhysicalPagesNuma..AppPolicyGetClrCompat..AppPolicyGetCreateFileAccess..AppPolicyGetLifecycleManagement..AppPolicyGetMediaFoundationCodecLoading..AppPolicyGetProcessTerminationMethod..AppPolicyGetShowDeveloperDiagnostic..AppPolicyGetThreadInitializationType..AppPolicyGetWindowingModel..AppXGetOSMaxVersionTested..ApplicationRecoveryFinished..ApplicationRecoveryInProgress..AreFileApisANSI..AssignProcessToJobObject..AttachConsole..BackupRead..BackupSeek..BackupWrite..B

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.569135640066288
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Script.exe
File size:	571'432 bytes
MD5:	fe5dc1cdefa2fcd27f84353d4f239ab9
SHA1:	11a8741e9913f55b2cc5ded39214fd86cfa249e6
SHA256:	7819e3789ad768375a4685a4c7e6f715ac79226b02c4d60b1d5382772d6a6e48
SHA512:	b9923045ad9d9534c9b7247830e1390e75dab0097cbb1f497994653609096cae6a039771e627bd5958531f3e27accb335b88820a148975d0adc4bf419db98ae5
SSDEEP:	12288:7YO6Dqzihouxpa+yW7baOWofIN7mxWQrDEb9+NDFEO:EO6DThou2+ysNjINixWVUNDFt
TLSH:	68C4E0127680C4B2D9571A7759B5D7391A3FB8200F6296CB93984FBDCEB03C14E31A6E
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....ng..........................................@.................................!.....@.................................\|j..<..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4104a0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x676E98E6 [Fri Dec 27 12:09:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	96d90e8808da099bc17e050394f447e7

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	12/01/2023 19:00:00 16/01/2026 18:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Entrypoint Preview

Instruction
call 00007F5F10B1DFDAh
jmp 00007F5F10B1DE3Dh
mov ecx, dword ptr [0043B680h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007F5F10B1DFD6h
test esi, ecx
jne 00007F5F10B1DFF8h
call 00007F5F10B1E001h
mov ecx, eax
cmp ecx, edi
jne 00007F5F10B1DFD9h
mov ecx, BB40E64Fh
jmp 00007F5F10B1DFE0h
test esi, ecx
jne 00007F5F10B1DFDCh
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [0043B680h], ecx
not ecx
pop edi
mov dword ptr [0043B6C0h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
lea eax, dword ptr [ebp-0Ch]
xorps xmm0, xmm0
push eax
movlpd qword ptr [ebp-0Ch], xmm0
call dword ptr [00436D00h]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [00436CB8h]
xor dword ptr [ebp-04h], eax
call dword ptr [00436CB4h]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [00436D50h]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 0043CF48h
call dword ptr [00436D28h]
ret
push 00030000h
push 00010000h
push 00000000h
call 00007F5F10B24DB3h
add esp, 0Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x36a7c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8e000	0x3fc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x89200	0x2628	.bss
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3f000	0x2744	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x32608	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2ea98	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x36c3c	0x184	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2b4ca	0x2b600	ebf84c6b836020b1a66433a898baeab7	False	0.5443702719740634	data	6.596404756541432	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2d000	0xc50c	0xc600	96e76e7ef084461591b1dcd4c2131f05	False	0.40260022095959597	data	4.741850626178578	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3a000	0x3714	0x2800	d87fd4546a2b39263a028b496b33108f	False	0.29814453125	data	5.024681407682101	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x3e000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x3f000	0x2744	0x2800	c7508b57e36483307c47b7dd73fc0c85	False	0.75166015625	data	6.531416896423856	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x42000	0x4ba00	0x4ba00	49b4ee19b34ebd64c79d15b7f3b4c130	False	1.0003260588842975	data	7.99936497362103	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x8e000	0x3fc	0x400	4243bfa36d7c6187562be2edfa0b46c2	False	0.443359375	data	3.391431520369637	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x8e058	0x3a4	data	English	United States	0.44849785407725323

Imports

DLL

Import

KERNEL32.dll

AcquireSRWLockExclusive, CloseHandle, CloseThreadpoolWork, CompareStringW, CreateFileW, CreateThread, CreateThreadpoolWork, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, FreeLibraryWhenCallbackReturns, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetConsoleWindow, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitOnceBeginInitialize, InitOnceComplete, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, SubmitThreadpoolWork, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WaitForSingleObjectEx, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

USER32.dll

ShowWindow

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-28T02:53:56.034767+0100	2058582	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mindhandru .buzz)	1	192.168.2.4	51320	1.1.1.1	53	UDP
2024-12-28T02:53:56.264951+0100	2058584	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (prisonyfork .buzz)	1	192.168.2.4	54948	1.1.1.1	53	UDP
2024-12-28T02:53:56.483294+0100	2058586	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebuildeso .buzz)	1	192.168.2.4	52952	1.1.1.1	53	UDP
2024-12-28T02:53:56.735269+0100	2058588	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scentniej .buzz)	1	192.168.2.4	64878	1.1.1.1	53	UDP
2024-12-28T02:53:56.954543+0100	2058580	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (inherineau .buzz)	1	192.168.2.4	59556	1.1.1.1	53	UDP
2024-12-28T02:53:57.196839+0100	2058590	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (screwamusresz .buzz)	1	192.168.2.4	62956	1.1.1.1	53	UDP
2024-12-28T02:53:57.497764+0100	2058572	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appliacnesot .buzz)	1	192.168.2.4	49681	1.1.1.1	53	UDP
2024-12-28T02:53:57.744541+0100	2058576	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cashfuzysao .buzz)	1	192.168.2.4	62389	1.1.1.1	53	UDP
2024-12-28T02:53:57.973986+0100	2058578	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hummskitnj .buzz)	1	192.168.2.4	55833	1.1.1.1	53	UDP
2024-12-28T02:53:59.944827+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	23.55.153.106	443	TCP
2024-12-28T02:54:00.772348+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.4	49733	23.55.153.106	443	TCP
2024-12-28T02:54:02.614232+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49734	104.21.66.86	443	TCP
2024-12-28T02:54:03.424717+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49734	104.21.66.86	443	TCP
2024-12-28T02:54:03.424717+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49734	104.21.66.86	443	TCP
2024-12-28T02:54:04.005048+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49735	104.21.66.86	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 02:53:58.428030014 CET	49733	443	192.168.2.4	23.55.153.106
Dec 28, 2024 02:53:58.428111076 CET	443	49733	23.55.153.106	192.168.2.4
Dec 28, 2024 02:53:58.428206921 CET	49733	443	192.168.2.4	23.55.153.106
Dec 28, 2024 02:53:58.431304932 CET	49733	443	192.168.2.4	23.55.153.106
Dec 28, 2024 02:53:58.431355000 CET	443	49733	23.55.153.106	192.168.2.4
Dec 28, 2024 02:53:59.944662094 CET	443	49733	23.55.153.106	192.168.2.4
Dec 28, 2024 02:53:59.944827080 CET	49733	443	192.168.2.4	23.55.153.106
Dec 28, 2024 02:53:59.948559999 CET	49733	443	192.168.2.4	23.55.153.106
Dec 28, 2024 02:53:59.948590994 CET	443	49733	23.55.153.106	192.168.2.4
Dec 28, 2024 02:53:59.948973894 CET	443	49733	23.55.153.106	192.168.2.4
Dec 28, 2024 02:53:59.989331961 CET	49733	443	192.168.2.4	23.55.153.106
Dec 28, 2024 02:54:00.034821033 CET	49733	443	192.168.2.4	23.55.153.106
Dec 28, 2024 02:54:00.079322100 CET	443	49733	23.55.153.106	192.168.2.4
Dec 28, 2024 02:54:00.772396088 CET	443	49733	23.55.153.106	192.168.2.4
Dec 28, 2024 02:54:00.772420883 CET	443	49733	23.55.153.106	192.168.2.4
Dec 28, 2024 02:54:00.772490978 CET	443	49733	23.55.153.106	192.168.2.4
Dec 28, 2024 02:54:00.772532940 CET	443	49733	23.55.153.106	192.168.2.4
Dec 28, 2024 02:54:00.772558928 CET	49733	443	192.168.2.4	23.55.153.106
Dec 28, 2024 02:54:00.772558928 CET	49733	443	192.168.2.4	23.55.153.106
Dec 28, 2024 02:54:00.772558928 CET	49733	443	192.168.2.4	23.55.153.106
Dec 28, 2024 02:54:00.772592068 CET	443	49733	23.55.153.106	192.168.2.4
Dec 28, 2024 02:54:00.772612095 CET	443	49733	23.55.153.106	192.168.2.4
Dec 28, 2024 02:54:00.772671938 CET	49733	443	192.168.2.4	23.55.153.106
Dec 28, 2024 02:54:00.772671938 CET	49733	443	192.168.2.4	23.55.153.106
Dec 28, 2024 02:54:00.772672892 CET	49733	443	192.168.2.4	23.55.153.106
Dec 28, 2024 02:54:00.965708017 CET	443	49733	23.55.153.106	192.168.2.4
Dec 28, 2024 02:54:00.965761900 CET	443	49733	23.55.153.106	192.168.2.4
Dec 28, 2024 02:54:00.965790987 CET	49733	443	192.168.2.4	23.55.153.106
Dec 28, 2024 02:54:00.965815067 CET	443	49733	23.55.153.106	192.168.2.4
Dec 28, 2024 02:54:00.965857029 CET	49733	443	192.168.2.4	23.55.153.106
Dec 28, 2024 02:54:00.995836973 CET	443	49733	23.55.153.106	192.168.2.4
Dec 28, 2024 02:54:00.995903015 CET	49733	443	192.168.2.4	23.55.153.106
Dec 28, 2024 02:54:00.995913982 CET	443	49733	23.55.153.106	192.168.2.4
Dec 28, 2024 02:54:00.995968103 CET	49733	443	192.168.2.4	23.55.153.106
Dec 28, 2024 02:54:00.997996092 CET	49733	443	192.168.2.4	23.55.153.106
Dec 28, 2024 02:54:00.998028994 CET	443	49733	23.55.153.106	192.168.2.4
Dec 28, 2024 02:54:00.998058081 CET	49733	443	192.168.2.4	23.55.153.106
Dec 28, 2024 02:54:00.998090982 CET	443	49733	23.55.153.106	192.168.2.4
Dec 28, 2024 02:54:01.347826004 CET	49734	443	192.168.2.4	104.21.66.86
Dec 28, 2024 02:54:01.347912073 CET	443	49734	104.21.66.86	192.168.2.4
Dec 28, 2024 02:54:01.348006010 CET	49734	443	192.168.2.4	104.21.66.86
Dec 28, 2024 02:54:01.348345041 CET	49734	443	192.168.2.4	104.21.66.86
Dec 28, 2024 02:54:01.348380089 CET	443	49734	104.21.66.86	192.168.2.4
Dec 28, 2024 02:54:02.614027977 CET	443	49734	104.21.66.86	192.168.2.4
Dec 28, 2024 02:54:02.614232063 CET	49734	443	192.168.2.4	104.21.66.86
Dec 28, 2024 02:54:02.617022991 CET	49734	443	192.168.2.4	104.21.66.86
Dec 28, 2024 02:54:02.617036104 CET	443	49734	104.21.66.86	192.168.2.4
Dec 28, 2024 02:54:02.617280006 CET	443	49734	104.21.66.86	192.168.2.4
Dec 28, 2024 02:54:02.618417978 CET	49734	443	192.168.2.4	104.21.66.86
Dec 28, 2024 02:54:02.618447065 CET	49734	443	192.168.2.4	104.21.66.86
Dec 28, 2024 02:54:02.618489981 CET	443	49734	104.21.66.86	192.168.2.4
Dec 28, 2024 02:54:03.424710035 CET	443	49734	104.21.66.86	192.168.2.4
Dec 28, 2024 02:54:03.424802065 CET	443	49734	104.21.66.86	192.168.2.4
Dec 28, 2024 02:54:03.424869061 CET	49734	443	192.168.2.4	104.21.66.86
Dec 28, 2024 02:54:03.427360058 CET	49734	443	192.168.2.4	104.21.66.86
Dec 28, 2024 02:54:03.427361012 CET	49734	443	192.168.2.4	104.21.66.86
Dec 28, 2024 02:54:03.427402020 CET	443	49734	104.21.66.86	192.168.2.4
Dec 28, 2024 02:54:03.427443981 CET	443	49734	104.21.66.86	192.168.2.4
Dec 28, 2024 02:54:03.495395899 CET	49735	443	192.168.2.4	104.21.66.86
Dec 28, 2024 02:54:03.495454073 CET	443	49735	104.21.66.86	192.168.2.4
Dec 28, 2024 02:54:03.495557070 CET	49735	443	192.168.2.4	104.21.66.86
Dec 28, 2024 02:54:03.495934010 CET	49735	443	192.168.2.4	104.21.66.86
Dec 28, 2024 02:54:03.495944023 CET	443	49735	104.21.66.86	192.168.2.4
Dec 28, 2024 02:54:04.005048037 CET	49735	443	192.168.2.4	104.21.66.86

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 02:53:56.034766912 CET	51320	53	192.168.2.4	1.1.1.1
Dec 28, 2024 02:53:56.261889935 CET	53	51320	1.1.1.1	192.168.2.4
Dec 28, 2024 02:53:56.264950991 CET	54948	53	192.168.2.4	1.1.1.1
Dec 28, 2024 02:53:56.480231047 CET	53	54948	1.1.1.1	192.168.2.4
Dec 28, 2024 02:53:56.483294010 CET	52952	53	192.168.2.4	1.1.1.1
Dec 28, 2024 02:53:56.719767094 CET	53	52952	1.1.1.1	192.168.2.4
Dec 28, 2024 02:53:56.735269070 CET	64878	53	192.168.2.4	1.1.1.1
Dec 28, 2024 02:53:56.950328112 CET	53	64878	1.1.1.1	192.168.2.4
Dec 28, 2024 02:53:56.954543114 CET	59556	53	192.168.2.4	1.1.1.1
Dec 28, 2024 02:53:57.169751883 CET	53	59556	1.1.1.1	192.168.2.4
Dec 28, 2024 02:53:57.196839094 CET	62956	53	192.168.2.4	1.1.1.1
Dec 28, 2024 02:53:57.423872948 CET	53	62956	1.1.1.1	192.168.2.4
Dec 28, 2024 02:53:57.497764111 CET	49681	53	192.168.2.4	1.1.1.1
Dec 28, 2024 02:53:57.713191986 CET	53	49681	1.1.1.1	192.168.2.4
Dec 28, 2024 02:53:57.744540930 CET	62389	53	192.168.2.4	1.1.1.1
Dec 28, 2024 02:53:57.970793009 CET	53	62389	1.1.1.1	192.168.2.4
Dec 28, 2024 02:53:57.973985910 CET	55833	53	192.168.2.4	1.1.1.1
Dec 28, 2024 02:53:58.282718897 CET	53	55833	1.1.1.1	192.168.2.4
Dec 28, 2024 02:53:58.285618067 CET	54029	53	192.168.2.4	1.1.1.1
Dec 28, 2024 02:53:58.422986984 CET	53	54029	1.1.1.1	192.168.2.4
Dec 28, 2024 02:54:01.034060001 CET	53391	53	192.168.2.4	1.1.1.1
Dec 28, 2024 02:54:01.346798897 CET	53	53391	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 28, 2024 02:53:56.034766912 CET	192.168.2.4	1.1.1.1	0x85f	Standard query (0)	mindhandru.buzz	A (IP address)	IN (0x0001)	false
Dec 28, 2024 02:53:56.264950991 CET	192.168.2.4	1.1.1.1	0xc7eb	Standard query (0)	prisonyfork.buzz	A (IP address)	IN (0x0001)	false
Dec 28, 2024 02:53:56.483294010 CET	192.168.2.4	1.1.1.1	0x2790	Standard query (0)	rebuildeso.buzz	A (IP address)	IN (0x0001)	false
Dec 28, 2024 02:53:56.735269070 CET	192.168.2.4	1.1.1.1	0xfde3	Standard query (0)	scentniej.buzz	A (IP address)	IN (0x0001)	false
Dec 28, 2024 02:53:56.954543114 CET	192.168.2.4	1.1.1.1	0x769f	Standard query (0)	inherineau.buzz	A (IP address)	IN (0x0001)	false
Dec 28, 2024 02:53:57.196839094 CET	192.168.2.4	1.1.1.1	0x6733	Standard query (0)	screwamusresz.buzz	A (IP address)	IN (0x0001)	false
Dec 28, 2024 02:53:57.497764111 CET	192.168.2.4	1.1.1.1	0x426	Standard query (0)	appliacnesot.buzz	A (IP address)	IN (0x0001)	false
Dec 28, 2024 02:53:57.744540930 CET	192.168.2.4	1.1.1.1	0xe3df	Standard query (0)	cashfuzysao.buzz	A (IP address)	IN (0x0001)	false
Dec 28, 2024 02:53:57.973985910 CET	192.168.2.4	1.1.1.1	0x2309	Standard query (0)	hummskitnj.buzz	A (IP address)	IN (0x0001)	false
Dec 28, 2024 02:53:58.285618067 CET	192.168.2.4	1.1.1.1	0xb773	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Dec 28, 2024 02:54:01.034060001 CET	192.168.2.4	1.1.1.1	0x6265	Standard query (0)	lev-tolstoi.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 28, 2024 02:53:56.261889935 CET	1.1.1.1	192.168.2.4	0x85f	Name error (3)	mindhandru.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2024 02:53:56.480231047 CET	1.1.1.1	192.168.2.4	0xc7eb	Name error (3)	prisonyfork.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2024 02:53:56.719767094 CET	1.1.1.1	192.168.2.4	0x2790	Name error (3)	rebuildeso.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2024 02:53:56.950328112 CET	1.1.1.1	192.168.2.4	0xfde3	Name error (3)	scentniej.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2024 02:53:57.169751883 CET	1.1.1.1	192.168.2.4	0x769f	Name error (3)	inherineau.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2024 02:53:57.423872948 CET	1.1.1.1	192.168.2.4	0x6733	Name error (3)	screwamusresz.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2024 02:53:57.713191986 CET	1.1.1.1	192.168.2.4	0x426	Name error (3)	appliacnesot.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2024 02:53:57.970793009 CET	1.1.1.1	192.168.2.4	0xe3df	Name error (3)	cashfuzysao.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2024 02:53:58.282718897 CET	1.1.1.1	192.168.2.4	0x2309	Name error (3)	hummskitnj.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2024 02:53:58.422986984 CET	1.1.1.1	192.168.2.4	0xb773	No error (0)	steamcommunity.com		23.55.153.106	A (IP address)	IN (0x0001)	false
Dec 28, 2024 02:54:01.346798897 CET	1.1.1.1	192.168.2.4	0x6265	No error (0)	lev-tolstoi.com		104.21.66.86	A (IP address)	IN (0x0001)	false
Dec 28, 2024 02:54:01.346798897 CET	1.1.1.1	192.168.2.4	0x6265	No error (0)	lev-tolstoi.com		172.67.157.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

lev-tolstoi.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	23.55.153.106	443	6016	C:\Users\user\Desktop\Script.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 01:54:00 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-12-28 01:54:00 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Sat, 28 Dec 2024 01:54:00 GMT Content-Length: 35121 Connection: close Set-Cookie: sessionid=c35ab4558d34b4bb773fab85; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2024-12-28 01:54:00 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2024-12-28 01:54:00 UTC	10097	IN	Data Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09 Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
2024-12-28 01:54:00 UTC	10545	IN	Data Raw: 4e 49 56 45 52 53 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 70 75 62 6c 69 63 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4c 41 4e 47 55 41 47 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 65 6e 67 6c 69 73 68 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 55 4e 54 52 59 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 55 53 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 43 4f 4d 4d 55 4e 49 54 59 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 Data Ascii: NIVERSE":"public","LANGUAGE":"english","COUNTRY":"US","MEDIA_CDN_COMMUNITY_URL":"https:\/\/cdn.fastly.steamstatic.com\/steamcommunity\/public\/","MEDIA_CDN_URL":"htt

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49734	104.21.66.86	443	6016	C:\Users\user\Desktop\Script.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 01:54:02 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: lev-tolstoi.com
2024-12-28 01:54:02 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-28 01:54:03 UTC	1131	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 01:54:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ib2i54a40cjj594o7khajjbp38; expires=Tue, 22 Apr 2025 19:40:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cOYnUNA5JUTx1anCfyI%2FaOH4aaDIwcco3euw34%2FJHTGzvaHCyWA75ZNy%2BoRwgKUAIjaM7xCxZoF%2BF2TBUa%2B3L1v%2FN41XV6sYpZQxZa3Ab5z%2B9BrOU8hyvqmUbgTJQiMjeK8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8deb900ec542ad-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1659&min_rtt=1633&rtt_var=631&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2833&recv_bytes=906&delivery_rate=1788120&cwnd=242&unsent_bytes=0&cid=14a1825ec32fc064&ts=824&x=0"
2024-12-28 01:54:03 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-28 01:54:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	20:53:54
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\Script.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Script.exe"
Imagebase:	0xaf0000
File size:	571'432 bytes
MD5 hash:	FE5DC1CDEFA2FCD27F84353D4F239AB9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	20:53:54
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	20:53:55
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\Script.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Script.exe"
Imagebase:	0xaf0000
File size:	571'432 bytes
MD5 hash:	FE5DC1CDEFA2FCD27F84353D4F239AB9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.5%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	6.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	26

Executed Functions

Function 00B2A19E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00B2A110,00B2A100), ref: 00B2A334
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00B2A347
Wow64GetThreadContext.KERNEL32(00000088,00000000), ref: 00B2A365
ReadProcessMemory.KERNELBASE(0000011C,?,00B2A154,00000004,00000000), ref: 00B2A389
VirtualAllocEx.KERNELBASE(0000011C,?,?,00003000,00000040), ref: 00B2A3B4
WriteProcessMemory.KERNELBASE(0000011C,00000000,?,?,00000000,?), ref: 00B2A40C
WriteProcessMemory.KERNELBASE(0000011C,00400000,?,?,00000000,?,00000028), ref: 00B2A457
WriteProcessMemory.KERNELBASE(0000011C,?,?,00000004,00000000), ref: 00B2A495
Wow64SetThreadContext.KERNEL32(00000088,03250000), ref: 00B2A4D1
ResumeThread.KERNELBASE(00000088), ref: 00B2A4E0

Strings

ResumeThread, xrefs: 00B2A2D8
WriteProcessMemory, xrefs: 00B2A2AF
Load, xrefs: 00B2A1DA
GetP, xrefs: 00B2A21E
VirtualAlloc, xrefs: 00B2A263
SetThreadContext, xrefs: 00B2A2C2
ReadProcessMemory, xrefs: 00B2A289
TerminateProcess, xrefs: 00B2A3C3
aryA, xrefs: 00B2A1E2
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 00B2A333
VirtualAllocEx, xrefs: 00B2A29C
CreateProcessW, xrefs: 00B2A250
ress, xrefs: 00B2A226
GetThreadContext, xrefs: 00B2A276

Memory Dump Source

Source File: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-3857624555
Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction ID: d819144b815b02b66836211c9cfc39f142c8ff10629f266083c3d8313e4934e4
Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction Fuzzy Hash: 1BB1F67260064AAFDB60CF68CC80BDAB7A5FF88714F158164EA0CAB341D774FA51CB94

Function 00AF1FB0 Relevance: 9.2, APIs: 6, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AF1240: _strlen.LIBCMT ref: 00AF12BA

CreateFileA.KERNELBASE ref: 00AF2036
GetFileSize.KERNEL32(00000000,00000000), ref: 00AF2046
ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 00AF206B
CloseHandle.KERNELBASE(00000000), ref: 00AF207A
_strlen.LIBCMT ref: 00AF20CD
CloseHandle.KERNEL32(00000000), ref: 00AF21FD

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: File$CloseHandle_strlen$CreateReadSize
String ID:
API String ID: 2911764282-0
Opcode ID: 2c04c9fae1fbc489db8fa1aca586ff96f85f861b19851b163149d68ccb8df14a
Instruction ID: 433b4deefb5f39aead8af90171d2d82d1cbba4a77c1ea46d00e539ecf708e08c
Opcode Fuzzy Hash: 2c04c9fae1fbc489db8fa1aca586ff96f85f861b19851b163149d68ccb8df14a
Instruction Fuzzy Hash: E471DFB2C002189BCB10DFA4DC44BBEBBB5FF48320F140628F914A7391EB359945CBA5

Function 00AF1000 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c825d495c637785717622b127604b2f7d8f9fbbeefaac8f868ac612a57add6d3
Instruction ID: fb183c12da3c0669ff8f0e7be9843f857b2bc9291d14110925a5666aefa85dd0
Opcode Fuzzy Hash: c825d495c637785717622b127604b2f7d8f9fbbeefaac8f868ac612a57add6d3
Instruction Fuzzy Hash: 5F213A336101694B879C9F786DA2037FB5ADB866A0705573EFE129F3D1E921DD1082E8

Function 00AF24B0 Relevance: 10.6, APIs: 7, Instructions: 83
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 00AF24DD
ShowWindow.USER32(00000000,00000000), ref: 00AF24E6
GetCurrentThreadId.KERNEL32 ref: 00AF2524

Part of subcall function 00AFF11D: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,00AF253A,?,?,00000000), ref: 00AFF129
Part of subcall function 00AFF11D: GetExitCodeThread.KERNEL32(?,00000000,?,?,00AF253A,?,?,00000000), ref: 00AFF142
Part of subcall function 00AFF11D: CloseHandle.KERNEL32(?,?,?,00AF253A,?,?,00000000), ref: 00AFF154

std::_Throw_Cpp_error.LIBCPMT ref: 00AF2567
std::_Throw_Cpp_error.LIBCPMT ref: 00AF2578
std::_Throw_Cpp_error.LIBCPMT ref: 00AF2589
std::_Throw_Cpp_error.LIBCPMT ref: 00AF259A

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ThreadWindow$CloseCodeConsoleCurrentExitHandleObjectShowSingleWait
String ID:
API String ID: 3956949563-0
Opcode ID: 40cba0e08a10830af754167978aa274433bd0b679b02c56205b5972f988d36a7
Instruction ID: 765b3cc732a2559fb98e787b6d8249da13600e82bc4074acced723e5397f7af8
Opcode Fuzzy Hash: 40cba0e08a10830af754167978aa274433bd0b679b02c56205b5972f988d36a7
Instruction Fuzzy Hash: 0F2167F1D4021D9BDF10AFD4DD06BEE7AB4AF04710F080165F6087B291E7B5A514CBA5

Function 00B0CF0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,C1C6EE9B,?,00B0D01A,?,?,00000000), ref: 00B0CFCC

Strings

api-ms-, xrefs: 00B0CF62
ext-ms-, xrefs: 00B0CF76

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 5747248309f45e620ae1bfb00086e07b83364e2bd3d28205a02aee182c65fbf8
Instruction ID: f128b98ebb6eb0e6a78309852128c470cf476331e6c2284fa2e67f3a46d44b0d
Opcode Fuzzy Hash: 5747248309f45e620ae1bfb00086e07b83364e2bd3d28205a02aee182c65fbf8
Instruction Fuzzy Hash: D821E731B41312ABC731AB65EC80A5A7FEADB517A0F2503A1F949A72D0DF70ED09C6D1

Function 00AF1750 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 390
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strlen.LIBCMT ref: 00AF1783

Strings

ios_base::eofbit set, xrefs: 00AF1BEA
ios_base::badbit set, xrefs: 00AF1BFA, 00AF1C20
ios_base::failbit set, xrefs: 00AF1BEF

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: _strlen
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 4218353326-1866435925
Opcode ID: 8071a40db3cccc4a67e042650394503a84384e7a137e3acbd1d5d2f585579bc6
Instruction ID: b8671ed244a5bc96b6b9f0ce84f9403831f5b69a8f7d56841a463b05a4cdb74e
Opcode Fuzzy Hash: 8071a40db3cccc4a67e042650394503a84384e7a137e3acbd1d5d2f585579bc6
Instruction Fuzzy Hash: 61F16E75A00218CFCB14DFA8C494BADBBF1FF88324F1942A9E915AB391D775AD41CB90

Function 00B05349 Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_00015470,00000000,00000000,00000000), ref: 00B05392
GetLastError.KERNEL32(?,?,?,00AF2513,00000000,00000000), ref: 00B0539E
__dosmaperr.LIBCMT ref: 00B053A5

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: b9afd518418bb5dfa1250c64c10670776c79f4a789b3da4a7df78af462b731ca
Instruction ID: 432edce51c20fe1ab1e2a269acb144b1ce0e40cd59b2d77b2ce71b3f442c22ce
Opcode Fuzzy Hash: b9afd518418bb5dfa1250c64c10670776c79f4a789b3da4a7df78af462b731ca
Instruction Fuzzy Hash: 60016D72500619ABDF259FA0DC06AAF7FA5EF003A0F008098F80292590EBB0D940DB54

Function 00B054EE Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B0C2BB: GetLastError.KERNEL32(00000000,?,00B076E9,00B0D306,?,?,00B0C1B7,00000001,00000364,?,00000005,000000FF,?,00B05495,00B28E38,0000000C), ref: 00B0C2BF
Part of subcall function 00B0C2BB: SetLastError.KERNEL32(00000000), ref: 00B0C361

CloseHandle.KERNEL32(?,?,?,00B053D9,?,?,00B054CE,00000000), ref: 00B0551F
FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,00B053D9,?,?,00B054CE,00000000), ref: 00B05535
ExitThread.KERNEL32 ref: 00B0553E

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary
String ID:
API String ID: 1991824761-0
Opcode ID: 191cbc7acda38f773a4f039816add2b7f21dd7ff9fe93dada21e3a70e1ad816e
Instruction ID: d4c491fb80566b33e3d1c4c0a5cf912418e1906b8af1b5801e125149c893a91e
Opcode Fuzzy Hash: 191cbc7acda38f773a4f039816add2b7f21dd7ff9fe93dada21e3a70e1ad816e
Instruction Fuzzy Hash: 59F0F8B1500A456BCB356B75DC48B5B3FEAFF11370B184A94F869C79E0DB20ED528B90

Function 00B0565F Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000002,?,00B05721,00B08396,00B08396,?,00000002,C1C6EE9B,00B08396,00000002), ref: 00B05670
TerminateProcess.KERNEL32(00000000,?,00B05721,00B08396,00B08396,?,00000002,C1C6EE9B,00B08396,00000002), ref: 00B05677
ExitProcess.KERNEL32 ref: 00B05689

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 463bc5e0001f6cf285ad6523e183648196ec04c26beae5c402e42d00a585a871
Instruction ID: 0dd02b94b610aa2ad9dd145b1e90827fa32b118b23be1e5a4918edf3bca6f95b
Opcode Fuzzy Hash: 463bc5e0001f6cf285ad6523e183648196ec04c26beae5c402e42d00a585a871
Instruction Fuzzy Hash: 2AD09231000648BFCF213F61DC0D99A3F6AEF54391B448460B9494A4B6DF32A993DF84

Function 00B13BF4 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B13F9E: GetConsoleOutputCP.KERNEL32(C1C6EE9B,00000000,00000000,?), ref: 00B14001

WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,00B08584,?), ref: 00B13D79
GetLastError.KERNEL32(?,?,00B08584,?,00B087C8,00000000,?,00000000,00B087C8,?,?,?,00B28FE8,0000002C,00B086B4,?), ref: 00B13D83

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 9f31c97974e14eefb955340c5624fdcf979f7f27768ef9f73a90e8b90c8d765d
Instruction ID: 25236efb9f0409526f413e21fa7b5b0ba62830355df067b97a66ba39ff75d909
Opcode Fuzzy Hash: 9f31c97974e14eefb955340c5624fdcf979f7f27768ef9f73a90e8b90c8d765d
Instruction Fuzzy Hash: B061A2B5904259AFDF11DFA8D884AEEBFF9EF09704F9401D5E800A7251E731DA81CBA0

Function 00B143CD Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,00B13D5F,00000000,00B087C8,?,00000000,?,00000000), ref: 00B14469
GetLastError.KERNEL32(?,00B13D5F,00000000,00B087C8,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,00B08584), ref: 00B1448F

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: e5985ce276dc294e796e2b11847f292e3b866aac7df2cd9349063995987ceb7b
Instruction ID: b68d8bd27d55aedec52f93387c1aed94ea23a8671d94f2c84647bd0e4a350d9e
Opcode Fuzzy Hash: e5985ce276dc294e796e2b11847f292e3b866aac7df2cd9349063995987ceb7b
Instruction Fuzzy Hash: 3F219135A002199BCB19CF59DC80AE9B7F9EB4C305F6444E9EA06D7311DB30DE82CB64

Function 00AF90F0 Relevance: 3.1, APIs: 2, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 00AF91C9
std::_Throw_Cpp_error.LIBCPMT ref: 00AF91D7

Part of subcall function 00AFEFD2: ReleaseSRWLockExclusive.KERNEL32(00000000,?,?,00AF8E4A,00AFA2F0), ref: 00AFEFE7

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ExclusiveLockRelease
String ID:
API String ID: 3666349979-0
Opcode ID: 72ceb76ef6f3707609d0b19ae3814476b1d72beb66e356867ded4e09c00dc287
Instruction ID: aa60dd57450f24c90020074bce407648720f30c0463ff580b1b361c2cb2767e9
Opcode Fuzzy Hash: 72ceb76ef6f3707609d0b19ae3814476b1d72beb66e356867ded4e09c00dc287
Instruction Fuzzy Hash: D121D3B1A0064A9BDB10DFA4CA45BBEBBB5FB04320F144328F6196B381D734A915CBD6

Function 00B0DA52 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,00B0D941,00B29330,0000000C), ref: 00B0DA9E
GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,00000000,00B0D941,00B29330,0000000C), ref: 00B0DAB0

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 8a90c7d7d8ddd3e062894e0c2b24f86d3ea34a84288eef88a47888d81120fcac
Instruction ID: e0473548aaceb2040d46f2f0c1727ce207669c59f68b0537ccf1af3f6734a1c7
Opcode Fuzzy Hash: 8a90c7d7d8ddd3e062894e0c2b24f86d3ea34a84288eef88a47888d81120fcac
Instruction Fuzzy Hash: 9811967170C7424AC7308EBE8CC8622BED5EB56330B3807DAD2B6875F1CA74D986D641

Function 00AF1EF0 Relevance: 3.1, APIs: 2, Instructions: 60
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AF1240: _strlen.LIBCMT ref: 00AF12BA

FreeConsole.KERNELBASE(?,?,?,?,?,00AF173F,?,?,?,00000000,?), ref: 00AF1F21
VirtualProtect.KERNELBASE(00B2A011,00000549,00000040,?), ref: 00AF1F78

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: ConsoleFreeProtectVirtual_strlen
String ID:
API String ID: 1248733679-0
Opcode ID: 4806db6a189e1726ec09cdea050f8ea2f1bbe2d84a3ef03291e5fb6a110604a3
Instruction ID: 7326fe16bea24ac48f188f4b408d1dbff6cf4d5dbd45b66e9d04a7fdcc7b244e
Opcode Fuzzy Hash: 4806db6a189e1726ec09cdea050f8ea2f1bbe2d84a3ef03291e5fb6a110604a3
Instruction Fuzzy Hash: 0611C271B00218ABDB14BBA4AC02EFF7BB4EB84701F404479FA08B72D2EA75995587D5

Function 00B05470 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00B28E38,0000000C), ref: 00B05483
ExitThread.KERNEL32 ref: 00B0548A

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: 651c891153acc4f1ea490cb4fb9c36640d88cd32eadf2d6bb534f955a241db57
Instruction ID: 754e336b34cc8388c7645e0ea89c4985d4a37624e7a2aef9b06d73aaad92cefa
Opcode Fuzzy Hash: 651c891153acc4f1ea490cb4fb9c36640d88cd32eadf2d6bb534f955a241db57
Instruction Fuzzy Hash: 20F0AF71A006049FDB24BFB0C80AA6E3FB4EF04750F104199F006A72D2CF745D42CB51

Function 00AF2270 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00AF2288
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00AF229C

Part of subcall function 00AF1FB0: CreateFileA.KERNELBASE ref: 00AF2036
Part of subcall function 00AF1FB0: GetFileSize.KERNEL32(00000000,00000000), ref: 00AF2046
Part of subcall function 00AF1FB0: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 00AF206B
Part of subcall function 00AF1FB0: CloseHandle.KERNELBASE(00000000), ref: 00AF207A
Part of subcall function 00AF1FB0: _strlen.LIBCMT ref: 00AF20CD

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: File$HandleModule$CloseCreateNameReadSize_strlen
String ID:
API String ID: 3505371420-0
Opcode ID: c88d9d8322f13e106215a789cb2243bcb47c8eac0b028cf956b9925609cd12e1
Instruction ID: 9fd50303a2ada774f45bd6477d21bcae9c38393a312b0e33597dcf4694f488a6
Opcode Fuzzy Hash: c88d9d8322f13e106215a789cb2243bcb47c8eac0b028cf956b9925609cd12e1
Instruction Fuzzy Hash: 8BF0EDB1A002106BD231B724AC8BEEBBBACDF99710F000918F6894B281EE7415468793

Function 00B0BED7 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00B102B4,?,00000000,?,?,00B0FF54,?,00000007,?,?,00B1089A,?,?), ref: 00B0BEED
GetLastError.KERNEL32(?,?,00B102B4,?,00000000,?,?,00B0FF54,?,00000007,?,?,00B1089A,?,?), ref: 00B0BEF8

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 0b6fff71465e855e0c6e54cf834b9af63c98da4b976fe2ba3af47b7102705972
Instruction ID: 6f5b189dbcdcf299138ef1c8462c3115083bcbe34b30967da96471ae03b21cc4
Opcode Fuzzy Hash: 0b6fff71465e855e0c6e54cf834b9af63c98da4b976fe2ba3af47b7102705972
Instruction Fuzzy Hash: 7AE08C32604258ABCF312FA4AC08B997FA8EB00391F1040A1F608972B0CF319C41CB94

Function 00AFDEF0 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66b3cd0d32de60d12c76383371aeb5a47ff9636c2815359770a65285f36ee9e3
Instruction ID: e9dab8aa07aab2aab9396b04ea27fca5cf0e0123b0a6935061e7c9e3b9ee3a32
Opcode Fuzzy Hash: 66b3cd0d32de60d12c76383371aeb5a47ff9636c2815359770a65285f36ee9e3
Instruction Fuzzy Hash: 2B418E32A0011EAFCB15DFA8C8948FDB7B9FF18314B544169F642E7650EB31E945DB90

Function 00AFCB40 Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c8eede2ddd0a48d6e2e1860850a78762740ac9093f00461c4ef6f5fc8d243eb
Instruction ID: 1c5ae231090153b1a4ae1307e3ab3cc60d18fbf96309c77f444fbd71c8578fef
Opcode Fuzzy Hash: 6c8eede2ddd0a48d6e2e1860850a78762740ac9093f00461c4ef6f5fc8d243eb
Instruction Fuzzy Hash: 9D31987190011EAFCB14DFA9DA909FEB7B8BF09330B140266F615E7290D731E945CB90

Function 00AFB060 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00AFAFC4: GetModuleHandleExW.KERNEL32(00000002,00000000,00AF8A2A,?,?,00AFAF87,00AF8A2A,?,00AFAF58,00AF8A2A,?,?,?), ref: 00AFAFD0

FreeLibraryWhenCallbackReturns.KERNEL32(?,00000000,C1C6EE9B,?,?,?,Function_0002BE94,000000FF), ref: 00AFB0C7

Part of subcall function 00AFAEFA: std::_Throw_Cpp_error.LIBCPMT ref: 00AFAF1B

Part of subcall function 00AFEFD2: ReleaseSRWLockExclusive.KERNEL32(00000000,?,?,00AF8E4A,00AFA2F0), ref: 00AFEFE7

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: CallbackCpp_errorExclusiveFreeHandleLibraryLockModuleReleaseReturnsThrow_Whenstd::_
String ID:
API String ID: 3627539351-0
Opcode ID: 25b9bc129abae59792db67212ab505d29e1a36cebb594dc0a041170672b52d65
Instruction ID: 81caa528402a7f451c8e8d0d9887ff34b787c3095c9655bea72f508c1bc63664
Opcode Fuzzy Hash: 25b9bc129abae59792db67212ab505d29e1a36cebb594dc0a041170672b52d65
Instruction Fuzzy Hash: E011E2726006189BCB25ABA5DD11A7E7BA9EB40B20F00452AF6198B6A1CF349D01CB51

Function 00B0CFD6 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6b41983e7c7f343a191301de2a08021e41c0c70bacd1f8d2fd79c7b9ed10e7f
Instruction ID: a174e14bd8d3489ccca71eed39002544f724213cbca06b823f126cd8b4db328b
Opcode Fuzzy Hash: d6b41983e7c7f343a191301de2a08021e41c0c70bacd1f8d2fd79c7b9ed10e7f
Instruction Fuzzy Hash: 4801F5332002159FDB278FA8EC90D167BEAFBC0720B254964F908870D8EF31D8069794

Function 00AFCB32 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: CriticalLeaveSection
String ID:
API String ID: 3988221542-0
Opcode ID: 02d3989040706dd00239d8b4d84875eaac2f29b2b375edfcbf944e8ea0911a81
Instruction ID: 8dabe1bb0402da508f0ff3a2786b8b1627e685e843ceb468f2f060f141ce5fd6
Opcode Fuzzy Hash: 02d3989040706dd00239d8b4d84875eaac2f29b2b375edfcbf944e8ea0911a81
Instruction Fuzzy Hash: 6601447A64828E5ECB159BB9FB692B8BB60FF95334B2041AFF215C54C2CB135856C300

Function 00AF7770 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Concurrency::details::_Release_chore.LIBCPMT ref: 00AF77C6

Part of subcall function 00AFAF64: CloseThreadpoolWork.KERNEL32(?,00000000,?,00AF78DA,00000000), ref: 00AFAF72

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: CloseConcurrency::details::_Release_choreThreadpoolWork
String ID:
API String ID: 312417170-0
Opcode ID: d32b538ff6548fbdaa07f2b8e48ecf6557218f8f674d4d265bd287c7465526f7
Instruction ID: b58d35d4e376eb83ce5325dadc9f063a5cba4f8f8f445d40609999cd082ac7fe
Opcode Fuzzy Hash: d32b538ff6548fbdaa07f2b8e48ecf6557218f8f674d4d265bd287c7465526f7
Instruction Fuzzy Hash: EF0128F1C006599BDB00EF94D9457EEBBB4FB44720F004239E91967350E779AA85CBD2

Function 00B0BF11 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00B0DF35,?,?,00B0DF35,00000220,?,00000000,?), ref: 00B0BF43

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 851739fe530cb52e900c1e688cdd45e2d2d96f1365283ddfce487b5828076515
Instruction ID: 8f56d41f761f19b3e4c519073a75ed4a68f72ef27547cfc75c1fd605f75cfe9e
Opcode Fuzzy Hash: 851739fe530cb52e900c1e688cdd45e2d2d96f1365283ddfce487b5828076515
Instruction Fuzzy Hash: 4CE06D3264562766DA312A669C80F9A7EC8EF41BA0F1501E1EC5DD71D0DF20EC00C9A1

Function 00AF98F0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00AF990F

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: b8da882641d8de2157e58557cd9cdfdada772876782d75cf4da214edebbb8f59
Instruction ID: 3d0410580e4127bcf13b9835f9b92a0b9cbc9a4cb57dd5cd48b1c151320f7c16
Opcode Fuzzy Hash: b8da882641d8de2157e58557cd9cdfdada772876782d75cf4da214edebbb8f59
Instruction Fuzzy Hash: 29D05E3A7150284B46147B69A85492E63A1AFC8B203660599E951D7355CB24AC428780

Non-executed Functions

Function 00B17792 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1479COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00B179A9

Strings

1#INF, xrefs: 00B178C8
1#IND, xrefs: 00B17897
1#QNAN, xrefs: 00B178A5
1#SNAN, xrefs: 00B1789E

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: f7c7798f3412e67dfcbe067f446a21d52ace54f1cef69ab3e91130908c791431
Instruction ID: d8843429506236e4fdaa2d20522f1950e17d0cc8e1594bf0e5d06921fd12037e
Opcode Fuzzy Hash: f7c7798f3412e67dfcbe067f446a21d52ace54f1cef69ab3e91130908c791431
Instruction Fuzzy Hash: B7D21671E082298BDB65CE28DD84BEAB7F5FB44344F5441EAD40DA7240EB78AEC58F41

Function 00B11A07 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00B113BD,00000002,00000000,?,?,?,00B113BD,?,00000000), ref: 00B11AA0
GetLocaleInfoW.KERNEL32(?,20001004,00B113BD,00000002,00000000,?,?,?,00B113BD,?,00000000), ref: 00B11AC9
GetACP.KERNEL32(?,?,00B113BD,?,00000000), ref: 00B11ADE

Strings

OCP, xrefs: 00B11A5B
ACP, xrefs: 00B11A25

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: e1dca4241c3d5eaef286d6374c9d17b77cba0ffe6cdebe124912082f19f05a7b
Instruction ID: 0cf5f0c1a331a8849716be94f86778f8aa093f759bbae52290697cbfcf7683cf
Opcode Fuzzy Hash: e1dca4241c3d5eaef286d6374c9d17b77cba0ffe6cdebe124912082f19f05a7b
Instruction Fuzzy Hash: DF217422B22500AADB34CB5CC940AD77BEAEF54B54BD688E4EB2AD7104E732DD81C750

Function 00B11287 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B0C16A: GetLastError.KERNEL32(?,?,00B05495,00B28E38,0000000C), ref: 00B0C16E
Part of subcall function 00B0C16A: SetLastError.KERNEL32(00000000), ref: 00B0C210

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 00B1138F
IsValidCodePage.KERNEL32(00000000), ref: 00B113CD
IsValidLocale.KERNEL32(?,00000001), ref: 00B113E0
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00B11428
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00B11443

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: adcda833181e6ac9a1d708dbde2e0c0d5a58745c13bae325b588743384219334
Instruction ID: 9b4d8c6e4a283c9e83ddc239b614860cb5337272944b3da9270151af74c0c45a
Opcode Fuzzy Hash: adcda833181e6ac9a1d708dbde2e0c0d5a58745c13bae325b588743384219334
Instruction Fuzzy Hash: BF518271A00219ABDB20EFA9DC45AFE77F8EF04700F9449A5F614E7194EB709A80CB61

Function 00B09CC0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
Instruction ID: bcf8a0de62a1839733e93e5930c64ac83c10babbfb29e6aa1d7b842b7353aa61
Opcode Fuzzy Hash: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
Instruction Fuzzy Hash: 4D022A71E012199BDF14CFA8C8806AEBBF1FF48314F2486A9E519E7381D731AE458B90

Function 00B11FE9 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 00B120D9
FindNextFileW.KERNEL32(00000000,?), ref: 00B121CD
FindClose.KERNEL32(00000000), ref: 00B1220C
FindClose.KERNEL32(00000000), ref: 00B1223F

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 8b24578fd7a137be4fea679c59cd294c0a7a411c93456e3017457f5f7ddb5ecf
Instruction ID: 771a1f19047b6e0116877b056bffaced3b97e8b793a309968126f4481c220865
Opcode Fuzzy Hash: 8b24578fd7a137be4fea679c59cd294c0a7a411c93456e3017457f5f7ddb5ecf
Instruction Fuzzy Hash: FC71D071905158AEDF21EF28DC89AFEBBF9EB09300F9442D9E148A3251DA314ED58F50

Function 00AFF8E9 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00AFF8F5
IsDebuggerPresent.KERNEL32 ref: 00AFF9C1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00AFF9DA
UnhandledExceptionFilter.KERNEL32(?), ref: 00AFF9E4

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 1af10d448588a0a9f72295b435d3d7c41621b598a7b3f779d59d7a077063b077
Instruction ID: 513cf533c271b2f08f8478c1ffa5e52679e1ea4aefe1e11999021127d4916c3e
Opcode Fuzzy Hash: 1af10d448588a0a9f72295b435d3d7c41621b598a7b3f779d59d7a077063b077
Instruction Fuzzy Hash: FF31E775D0121D9ADB21DFA4DD897CDBBB8AF08300F1041AAE50CAB250EB719A858F45

Function 00B11580 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00B0C16A: GetLastError.KERNEL32(?,?,00B05495,00B28E38,0000000C), ref: 00B0C16E
Part of subcall function 00B0C16A: SetLastError.KERNEL32(00000000), ref: 00B0C210

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B115D4
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B1161E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B116E4

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: a402b485dc84b3ee33c878884da6e80592793d2e401245b67cc40def875004b5
Instruction ID: 50f07b6c848641f14e95fd9870c088185e2cb9d3c4b6ddc9f47dff006674250f
Opcode Fuzzy Hash: a402b485dc84b3ee33c878884da6e80592793d2e401245b67cc40def875004b5
Instruction Fuzzy Hash: 2F618CB16002079FDB289F28DD82BBA77E8EF14700F5486B9EA05C62C5EB35DD81DB54

Function 00B07E30 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00B07F28
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00B07F32
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 00B07F3F

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: fe85f1a831a026ad81efe234d8670a6e7ab0af3a0a12089197adbb636be0c9a5
Instruction ID: 853a050e8c736bb766fb73d6677fb781066000f7e2dab0fc137a4780964787ac
Opcode Fuzzy Hash: fe85f1a831a026ad81efe234d8670a6e7ab0af3a0a12089197adbb636be0c9a5
Instruction Fuzzy Hash: F931D27490122DABCB21DF64DD88B9DBBB8BF08310F5041EAE50CA7291EB309F858F45

Function 00B000B4 Relevance: 3.0, APIs: 2, Instructions: 27timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32 ref: 00B000EC
GetSystemTimeAsFileTime.KERNEL32(?,C1C6EE9B,00AF8E30,?,00B1BE77,000000FF,?,00AFFDB4,?,00000000,00000000,?,00AFFDD8,?,00AF8E30,?), ref: 00B000F0

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: Time$FileSystem$Precise
String ID:
API String ID: 743729956-0
Opcode ID: cfd6640556e447e4f2113caac951e7be4f3baf9ba210221989f89442c9fdead3
Instruction ID: 9c8e50bcc21e1849fa7287aa2b8359c237b1dc494474232e9547745c72eb4c63
Opcode Fuzzy Hash: cfd6640556e447e4f2113caac951e7be4f3baf9ba210221989f89442c9fdead3
Instruction Fuzzy Hash: 16F06532A44658EFC7219F44DC40FAEBBE8F708B50F00066AE81293B90DF356901DBC0

Function 00B15C5E Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00B15BB9,?,?,00000008,?,?,00B1BCAB,00000000), ref: 00B15E8B

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: a545062ebaa09dbf61b72ad4898b5b2320037707e553261c05581a6a86baa8e5
Instruction ID: 7a2aeeeaec6cb29c9a7e960b3d8ed08595113513866e399cf0c529fe4fb4c3f3
Opcode Fuzzy Hash: a545062ebaa09dbf61b72ad4898b5b2320037707e553261c05581a6a86baa8e5
Instruction Fuzzy Hash: 35B13031510A09DFD725CF28C48AB957BE0FF85364F658698E899CF2A1C735E9D2CB40

Function 00AFF555 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00AFF56B

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 456496c3539c475ee87f46b6dfbc8d951b58511ccbe38b0d7ad3771ebbd43233
Instruction ID: 4844508bf37cd243f2d60a6ea2d2420ed2bf1225a06e9874d0bc6596b590660a
Opcode Fuzzy Hash: 456496c3539c475ee87f46b6dfbc8d951b58511ccbe38b0d7ad3771ebbd43233
Instruction Fuzzy Hash: 06A190729106098FDB28CF94D881BADBBF5FB48364F24853AE515EB360DB74A941CF90

Function 00B11840 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00B0C16A: GetLastError.KERNEL32(?,?,00B05495,00B28E38,0000000C), ref: 00B0C16E
Part of subcall function 00B0C16A: SetLastError.KERNEL32(00000000), ref: 00B0C210

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B11894

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 8ac2f46b4080fcca92fe1347a02f1b619086c5c289e932dd522a65b0f6dc4f42
Instruction ID: 7f058dad352500fed8f7310f287ded02bf764d627d0857c716e7ac53550b558e
Opcode Fuzzy Hash: 8ac2f46b4080fcca92fe1347a02f1b619086c5c289e932dd522a65b0f6dc4f42
Instruction Fuzzy Hash: A321B072610206ABDB289B29DC41AFA7BECEF04711B5085BAFE02D7181EB34ED809750

Function 00B03FB2 Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

0, xrefs: 00B04136

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 2c406764ac7ca90f9b7086a683fa8ea1d2193b502ae4c40f1047fb2e9d4981fe
Instruction ID: d6e1b6252960cf5cb04fabe9c692db41aaa16cc66d9f6f21597c2d6fd968a5ac
Opcode Fuzzy Hash: 2c406764ac7ca90f9b7086a683fa8ea1d2193b502ae4c40f1047fb2e9d4981fe
Instruction Fuzzy Hash: A3B1BEB0A0060A8BCB24CE68CA956BEBFF5EB41300F1446DDE752A76D1E731EA45CB51

Function 00B114D8 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B0C16A: GetLastError.KERNEL32(?,?,00B05495,00B28E38,0000000C), ref: 00B0C16E
Part of subcall function 00B0C16A: SetLastError.KERNEL32(00000000), ref: 00B0C210

EnumSystemLocalesW.KERNEL32(00B11580,00000001,00000000,?,-00000050,?,00B11363,00000000,-00000002,00000000,?,00000055,?), ref: 00B1154A

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 86d74c6d509318505cacf72f608da56f571515e2b46945ccea64dff7bf92c73c
Instruction ID: 7d6dcc4ed7e6ce3110fc7defc3e9a4a6e9a34ff4df706bc70dfb56771f5c5b46
Opcode Fuzzy Hash: 86d74c6d509318505cacf72f608da56f571515e2b46945ccea64dff7bf92c73c
Instruction Fuzzy Hash: BF11E9362047015FDB189F3DC8915BABBD2FF94758B54486CE64787B40E771B982CB40

Function 00B11960 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00B0C16A: GetLastError.KERNEL32(?,?,00B05495,00B28E38,0000000C), ref: 00B0C16E
Part of subcall function 00B0C16A: SetLastError.KERNEL32(00000000), ref: 00B0C210

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B119B4

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 6526639cbfa455835416af65fb42843ebfb3e8481cd99c76022c4b93111e48d2
Instruction ID: 54077d61a08fa6f02e772cd4c0b1d7bd54578d81ff41dcc159c7d3d08d52b7a3
Opcode Fuzzy Hash: 6526639cbfa455835416af65fb42843ebfb3e8481cd99c76022c4b93111e48d2
Instruction Fuzzy Hash: 15110232611206ABDB14EF68CC52AFB7BECEF04710B1041BAF602D7181EB34ED469750

Function 00B11B0D Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00B0C16A: GetLastError.KERNEL32(?,?,00B05495,00B28E38,0000000C), ref: 00B0C16E
Part of subcall function 00B0C16A: SetLastError.KERNEL32(00000000), ref: 00B0C210

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00B1179C,00000000,00000000,?), ref: 00B11B39

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: db340da97c5e407e1921753e797014e803e823140aa7712bbb405d4050a7c60a
Instruction ID: 940a1f18076a66714f0e472a6b95962e7f026440b7da00a857139ce0ef0d9e57
Opcode Fuzzy Hash: db340da97c5e407e1921753e797014e803e823140aa7712bbb405d4050a7c60a
Instruction Fuzzy Hash: 4401D632714112ABDB285B688C45AFB37A8EF40754F5548A8EE06A31C0FA74EE81C6A0

Function 00B117D3 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B0C16A: GetLastError.KERNEL32(?,?,00B05495,00B28E38,0000000C), ref: 00B0C16E
Part of subcall function 00B0C16A: SetLastError.KERNEL32(00000000), ref: 00B0C210

EnumSystemLocalesW.KERNEL32(00B11840,00000001,?,?,-00000050,?,00B1132B,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 00B1181D

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 618aae6fedcd74aa04a99fa1acffe4a1ceb36e92ac8f7830934d6a7caf8a0639
Instruction ID: f73dffc1a325567d712e307b50e405f8aa53dfdf7b9696ac87f9f31a300cc709
Opcode Fuzzy Hash: 618aae6fedcd74aa04a99fa1acffe4a1ceb36e92ac8f7830934d6a7caf8a0639
Instruction Fuzzy Hash: EAF0F6362043045FDB245F7DDC81ABB7FD1EF80768F4588ACFA458B690D6B19C82C650

Function 00B0D1BD Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B080E1: EnterCriticalSection.KERNEL32(?,?,00B0C5F8,?,00B29290,00000008,00B0C4EA,?,?,?), ref: 00B080F0

EnumSystemLocalesW.KERNEL32(00B0D1B0,00000001,00B29310,0000000C,00B0CB11,-00000050), ref: 00B0D1F5

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 4a9cf80a50493ecf0b5983829f0cde3845ce6973298f803820faa3add3652d83
Instruction ID: 45dfdb83a4c246514669641ce13d6fdb016b45739a7ed892856baca64a11de91
Opcode Fuzzy Hash: 4a9cf80a50493ecf0b5983829f0cde3845ce6973298f803820faa3add3652d83
Instruction Fuzzy Hash: 4DF04972A04204EFDB20EFA8E842B9DBBF0EB48721F0081AAF4159B2E0DB754941CF44

Function 00B11915 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B0C16A: GetLastError.KERNEL32(?,?,00B05495,00B28E38,0000000C), ref: 00B0C16E
Part of subcall function 00B0C16A: SetLastError.KERNEL32(00000000), ref: 00B0C210

EnumSystemLocalesW.KERNEL32(00B11960,00000001,?,?,?,00B11385,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 00B1194C

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: ee78ecb14e17ae15bb0982e7cd7a24cf34e940ccfa243c52337ec707c607efc6
Instruction ID: 9dadd5dac5bcb138bb7b08b8389e9e6e83d533439841d6afe3d639412c13c546
Opcode Fuzzy Hash: ee78ecb14e17ae15bb0982e7cd7a24cf34e940ccfa243c52337ec707c607efc6
Instruction Fuzzy Hash: 7CF0EC3530020557CB14AF39DC656A67FE4EFC1B50F464499EB159B151C6719883C790

Function 00B0CC15 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,00B06E33,?,20001004,00000000,00000002,?,?,00B05D3D), ref: 00B0CC49

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: f37b3ec5a34e7eea7d8d46f380f29eb0d94ee0f30b0305b8f479d66bfc4e6e5a
Instruction ID: 6c4b6ba2c3c7777990973c8bf44a2d578c3a81a4440c2210c8a76d2377910133
Opcode Fuzzy Hash: f37b3ec5a34e7eea7d8d46f380f29eb0d94ee0f30b0305b8f479d66bfc4e6e5a
Instruction Fuzzy Hash: 12E04F3150022CBBCF222FA0ED04E9E3F56EF44B50F048165FD09661A1CF318D22ABD0

Function 00AFF8DD Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000FA00), ref: 00AFF8E2

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 25831e0eef98eb7c9ff36d1afbf659a73e51221621aa1007910d5195203df976
Instruction ID: 454eb5ff5b1f25e4227f26e9791aa14a53579c989fb30a9898b1a8aa49b16148
Opcode Fuzzy Hash: 25831e0eef98eb7c9ff36d1afbf659a73e51221621aa1007910d5195203df976
Instruction Fuzzy Hash:

Function 00B0D8E0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00B0D8E0

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: f8c09421c698beb7d3bdc1bf36b3f043a728f442c1b848a5455e0a43e545f1cd
Instruction ID: a02e220965ba406f1a6715e98316f3ed392557c09c2578456f43bccdd9e87de4
Opcode Fuzzy Hash: f8c09421c698beb7d3bdc1bf36b3f043a728f442c1b848a5455e0a43e545f1cd
Instruction Fuzzy Hash: F3A02230302202CF8320AF32AE0830C3BECFA00AE0300C03AA800C3230EF308002AF00

Function 00B1AAE2 Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,00B1AACD,?,?,?,?,?,?,?,?,?), ref: 00B1AB88
__alloca_probe_16.LIBCMT ref: 00B1AC43
__alloca_probe_16.LIBCMT ref: 00B1ACD2
__freea.LIBCMT ref: 00B1AD1D
__freea.LIBCMT ref: 00B1AD23
__freea.LIBCMT ref: 00B1AD59
__freea.LIBCMT ref: 00B1AD5F
__freea.LIBCMT ref: 00B1AD6F

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 292373ea4972c0a3802265cb3aa6fd0417a6cb6d62cfcaa53c7d405762a08e74
Instruction ID: 08cc2c60df84699f1d06055ff691d039385af661a5d89ebb50c245d9f439e0ab
Opcode Fuzzy Hash: 292373ea4972c0a3802265cb3aa6fd0417a6cb6d62cfcaa53c7d405762a08e74
Instruction Fuzzy Hash: 8771147290564A6BDF209EA49C81FEF7BFADF45710F9800E5F904A7291E734AC808792

Function 00AFFE29 Relevance: 12.2, APIs: 8, Instructions: 177COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 00AFFE70
__alloca_probe_16.LIBCMT ref: 00AFFE9C
MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 00AFFEDB
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00AFFEF8
LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00AFFF37
__alloca_probe_16.LIBCMT ref: 00AFFF54
LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00AFFF96
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00AFFFB9

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: c00ad9dcf1c1d4ea7115ee6c39af440a0f82382f43338983fbea7ac422ff25c4
Instruction ID: 6a2c0913f178d73383f6674e1b502336b212490950b65186f4d4dd406cc2876b
Opcode Fuzzy Hash: c00ad9dcf1c1d4ea7115ee6c39af440a0f82382f43338983fbea7ac422ff25c4
Instruction Fuzzy Hash: 69518B7260021EAFEB205FA0CC45FBA7BB9EF41790F254439FA15EA1A0DB718D11CB60

Function 00B0EE76 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00B0EEFC

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
Instruction ID: b6c039fbda78fe0b138a1679667b06aa35cb1c57f8e218944b4a51c4e397efd6
Opcode Fuzzy Hash: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
Instruction Fuzzy Hash: A7B14572A04356AFEB218F24CC81BBEBFE5EF55310F1481E5E954AB2C2E674D941C7A0

Function 00B00D40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00B00D77
___except_validate_context_record.LIBVCRUNTIME ref: 00B00D7F
_ValidateLocalCookies.LIBCMT ref: 00B00E08
__IsNonwritableInCurrentImage.LIBCMT ref: 00B00E33
_ValidateLocalCookies.LIBCMT ref: 00B00E88

Strings

csm, xrefs: 00B00E1D

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: bdd9072bc894df382d536aadc4c0c10bef6c92925207fb116fa399b68b893a99
Instruction ID: 9fb7d4e521b9d0155c589fb3ec49b1862bba151fa6e03e7860b93c6bec84b930
Opcode Fuzzy Hash: bdd9072bc894df382d536aadc4c0c10bef6c92925207fb116fa399b68b893a99
Instruction Fuzzy Hash: 09419130E102189BCF10EF68C884B9EBFE5EF45314F1489E5E9156B2D2DB31A955CB91

Function 00B00080 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00B00086
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00B00094
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00B000A5

Strings

GetSystemTimePreciseAsFileTime, xrefs: 00B0008E
GetTempPath2W, xrefs: 00B0009A
kernel32.dll, xrefs: 00B00081

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1047828073
Opcode ID: 46ddb9a949e7fa35ad87ecc706faf9ddd9696020f51fe70fd15999d74cc4167f
Instruction ID: 3aee59c75296ca079aed6affb38d14d7183b6e2fdb156a81569069dca59e72e7
Opcode Fuzzy Hash: 46ddb9a949e7fa35ad87ecc706faf9ddd9696020f51fe70fd15999d74cc4167f
Instruction Fuzzy Hash: F4D09271546220AB8331AFB8BD4988A3FE9FA09B113014192F949D3264DFB885538A94

Function 00B14F81 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1c7552a5c581a1a7d9f56805a983c85001fb3b5b3671cf496a7b95b8bff5a03
Instruction ID: 0fce3004f6e8082211060636c914b8303d972534ed5f500007b4c31f60e1d0da
Opcode Fuzzy Hash: b1c7552a5c581a1a7d9f56805a983c85001fb3b5b3671cf496a7b95b8bff5a03
Instruction Fuzzy Hash: 8BB1D371E04A49EFDB21DFA8D880BEDBBF1EF85304F5441D9E51197291CB71A981CBA0

Function 00AF9B30 Relevance: 9.1, APIs: 6, Instructions: 125COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 00AF9C97
std::_Throw_Cpp_error.LIBCPMT ref: 00AF9CA8
std::_Throw_Cpp_error.LIBCPMT ref: 00AF9CBC
std::_Throw_Cpp_error.LIBCPMT ref: 00AF9CDD
std::_Throw_Cpp_error.LIBCPMT ref: 00AF9CEE
std::_Throw_Cpp_error.LIBCPMT ref: 00AF9D06

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: Cpp_errorThrow_std::_
String ID:
API String ID: 2134207285-0
Opcode ID: e6237ee9c22d16a9f5105c24c651196e7f45dd025fdbbc34c5cb3a3db8109e4d
Instruction ID: 6bdf29fae570235d1682402082cf6389c95e6632e775cb1128b50bf74d715375
Opcode Fuzzy Hash: e6237ee9c22d16a9f5105c24c651196e7f45dd025fdbbc34c5cb3a3db8109e4d
Instruction Fuzzy Hash: 3B41B2B1900748CFDB309BA48A417BBB7F8AF45324F18062DF76A562E2D7716505CB62

Function 00B0ACE7 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B0ACDE,00B00760,00AFB77F,C1C6EE9B,?,?,?,?,00B1BFCA,000000FF), ref: 00B0ACF5
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B0AD03
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B0AD1C
SetLastError.KERNEL32(00000000,?,00B0ACDE,00B00760,00AFB77F,C1C6EE9B,?,?,?,?,00B1BFCA,000000FF), ref: 00B0AD6E

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: c3d783e5b69b0c1ec9fd01152bde6a59792bd6dc81abca20838055236324061e
Instruction ID: 87488e8f5757099b1201625938fd0af79e1fdc5ee86316f89adca647dffee3b7
Opcode Fuzzy Hash: c3d783e5b69b0c1ec9fd01152bde6a59792bd6dc81abca20838055236324061e
Instruction Fuzzy Hash: 5C01BC7220A715AEE7342A747C8986A3FC8EB01B7676007BAF620565E0EF154C83A281

Function 00B0B56E Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00B0B68D
CallUnexpected.LIBVCRUNTIME ref: 00B0B906

Strings

csm, xrefs: 00B0B6C4
csm, xrefs: 00B0B5AB
csm, xrefs: 00B0B618

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: b81d5f889aa5db06fc56116d97d7447e53ad7fef77e14fbbe5221fbb5ad8414f
Instruction ID: e9daf76a2b9dcec6e9aee3efdd61742e8bba7553793f04ef3fc6074ad9551c80
Opcode Fuzzy Hash: b81d5f889aa5db06fc56116d97d7447e53ad7fef77e14fbbe5221fbb5ad8414f
Instruction Fuzzy Hash: DAB12571800209EFCF29DFA4C881DAEBBF9EF54310F15859AE8116B292D731DA61DB91

Function 00AFBE95 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

std::_Ref_count_base::_Decref.LIBCPMT ref: 00AFBF44
std::_Ref_count_base::_Decref.LIBCPMT ref: 00AFC028

Strings

MOC, xrefs: 00AFBE9F
csm, xrefs: 00AFBEB7
RCC, xrefs: 00AFBEAB

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: DecrefRef_count_base::_std::_
String ID: MOC$RCC$csm
API String ID: 1456557076-2671469338
Opcode ID: db2e54675ecf4dd8e3f700c93e68e446e33d78ba7b8ebd2dde94f116462db6ec
Instruction ID: 25b3e30a9bd5bfaea646506356960313a61b3eb8db46d6b1df132c5c961699fb
Opcode Fuzzy Hash: db2e54675ecf4dd8e3f700c93e68e446e33d78ba7b8ebd2dde94f116462db6ec
Instruction Fuzzy Hash: AE41AD7491020DDFCF28DFA8CA459BEB7B5AF48300B58809DF649A7652C734EA05CB61

Function 00B055C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,C1C6EE9B,?,?,00000000,00B1BE94,000000FF,?,00B05685,00000002,?,00B05721,00B08396), ref: 00B055F9
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B0560B
FreeLibrary.KERNEL32(00000000,?,?,00000000,00B1BE94,000000FF,?,00B05685,00000002,?,00B05721,00B08396), ref: 00B0562D

Strings

mscoree.dll, xrefs: 00B055F2
CorExitProcess, xrefs: 00B05603

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f1aba4b92928caa60985aa55f5cdf5bc42e94752c03eb207079b099ef36def44
Instruction ID: e2766b9db8d6e9a5233a61ff166348a18a552fa6db151bead0f42ac132b6d7bd
Opcode Fuzzy Hash: f1aba4b92928caa60985aa55f5cdf5bc42e94752c03eb207079b099ef36def44
Instruction Fuzzy Hash: 6A018631A44A69EFDB229F54DC09FAEBBF8FB04B15F000965F811A36E0DF759905CA90

Function 00B0D6EA Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00B0D76F
__alloca_probe_16.LIBCMT ref: 00B0D838
__freea.LIBCMT ref: 00B0D89F

Part of subcall function 00B0BF11: RtlAllocateHeap.NTDLL(00000000,00B0DF35,?,?,00B0DF35,00000220,?,00000000,?), ref: 00B0BF43

__freea.LIBCMT ref: 00B0D8B2
__freea.LIBCMT ref: 00B0D8BF

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 314719ca52a31c40a02d6eb090a0fa51b2ea9a863254c3039a1af985fd6b7b07
Instruction ID: 773937191fed03f376c64c8a222a8f000d73da2024b6b9f5b8f3140edae1914d
Opcode Fuzzy Hash: 314719ca52a31c40a02d6eb090a0fa51b2ea9a863254c3039a1af985fd6b7b07
Instruction Fuzzy Hash: F4518F7260030AAFEB215FA4CC85EBB7EE9EF44760B1546A9FD04D72D1EB70DC1096A0

Function 00AFEFF1 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00AFF005
AcquireSRWLockExclusive.KERNEL32(00AF8E38), ref: 00AFF024
AcquireSRWLockExclusive.KERNEL32(00AF8E38,00AFA2F0,?), ref: 00AFF052
TryAcquireSRWLockExclusive.KERNEL32(00AF8E38,00AFA2F0,?), ref: 00AFF0AD
TryAcquireSRWLockExclusive.KERNEL32(00AF8E38,00AFA2F0,?), ref: 00AFF0C4

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: aef4d41f44eb33fc0cb5177dcfe8d33473bdc054a8751b9e9b70fcf5c0db6adf
Instruction ID: 3e1163e2c1fc78e9b43b12830b5257f5d1b9a5a2d2d3e700903ed1fe8b4fda39
Opcode Fuzzy Hash: aef4d41f44eb33fc0cb5177dcfe8d33473bdc054a8751b9e9b70fcf5c0db6adf
Instruction Fuzzy Hash: 9841377150060EDFCB20DFA5C5819BAB3B5FF04311B104A3AF696D7652EB30E985CB55

Function 00AF3C70 Relevance: 7.6, APIs: 5, Instructions: 111COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00AF3CA5
std::_Lockit::_Lockit.LIBCPMT ref: 00AF3CBF
std::_Lockit::~_Lockit.LIBCPMT ref: 00AF3CE0
__Getctype.LIBCPMT ref: 00AF3D92
std::_Lockit::~_Lockit.LIBCPMT ref: 00AF3DD8

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Getctype
String ID:
API String ID: 3087743877-0
Opcode ID: 219ae25abe507fd2bb8ef4af22aed0b536cc65eea4b8509dace208ce28a4e2c6
Instruction ID: 758f4d800d22f6f241cb9c28426fdb0938c99770ec24e774937fed34929f8c4f
Opcode Fuzzy Hash: 219ae25abe507fd2bb8ef4af22aed0b536cc65eea4b8509dace208ce28a4e2c6
Instruction Fuzzy Hash: 66415CB2D002188FCB20DF94D944BAEBBB1FF58720F148529E9196B391DB34AD45CF91

Function 00AFD4C2 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00AFD4C9
std::_Lockit::_Lockit.LIBCPMT ref: 00AFD4D3
int.LIBCPMT ref: 00AFD4EA

Part of subcall function 00AFC1E5: std::_Lockit::_Lockit.LIBCPMT ref: 00AFC1F6
Part of subcall function 00AFC1E5: std::_Lockit::~_Lockit.LIBCPMT ref: 00AFC210

codecvt.LIBCPMT ref: 00AFD50D
std::_Lockit::~_Lockit.LIBCPMT ref: 00AFD544

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
String ID:
API String ID: 3716348337-0
Opcode ID: 11a77e1584597c46cb72c105a33eea7cb939cb09e7bb2fd0daa81a06be1f5d66
Instruction ID: a31e61a6f09a682adaa7db5882f36b081e352c4f40300097b27eb5372cd0677c
Opcode Fuzzy Hash: 11a77e1584597c46cb72c105a33eea7cb939cb09e7bb2fd0daa81a06be1f5d66
Instruction Fuzzy Hash: D301C47290011D9FCF16EBE4CA55AFDBBB6AF84324F144509F619AB281CF749E01C781

Function 00AFADD7 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00AFADDE
std::_Lockit::_Lockit.LIBCPMT ref: 00AFADE9
std::_Lockit::~_Lockit.LIBCPMT ref: 00AFAE57

Part of subcall function 00AFACAA: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00AFACC2

std::locale::_Setgloballocale.LIBCPMT ref: 00AFAE04
_Yarn.LIBCPMT ref: 00AFAE1A

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 7208536c46aecdbd874202833c5a2ba54be9fc991ae4a782b0366a5ac5d1d8e2
Instruction ID: 620aadc4d634dd0c5db772a5662d2c1c6bf9b3dea3f77917d1cd368d97b895c1
Opcode Fuzzy Hash: 7208536c46aecdbd874202833c5a2ba54be9fc991ae4a782b0366a5ac5d1d8e2
Instruction Fuzzy Hash: EB01B1B56002249FCB05FBA0D9519BD7BA1FF98750B040019FA0A57391CF345E83CB82

Function 00AFB755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73COMMON

Download Yara Rule

APIs

std::_Ref_count_base::_Decref.LIBCPMT ref: 00AFB809

Strings

RCC, xrefs: 00AFB795
MOC, xrefs: 00AFB789
csm, xrefs: 00AFB7A1

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: DecrefRef_count_base::_std::_
String ID: MOC$RCC$csm
API String ID: 1456557076-2671469338
Opcode ID: dc88745878b54296d4c220863200661694cb63abd7d0f6426f26286a67af9d1b
Instruction ID: 9e9346141ce869bfd7f555f98d6600ec25419819e81ec5221f706b975eb9fc43
Opcode Fuzzy Hash: dc88745878b54296d4c220863200661694cb63abd7d0f6426f26286a67af9d1b
Instruction Fuzzy Hash: B121FF3582120DDFCB24AFE4C841ABAB7BCEF84360F14455EF61197690DB34AA41CAA0

Function 00B16940 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00B169DC,00000000,?,00B2D2B0,?,?,?,00B16913,00000004,InitializeCriticalSectionEx,00B20D34,00B20D3C), ref: 00B1694D
GetLastError.KERNEL32(?,00B169DC,00000000,?,00B2D2B0,?,?,?,00B16913,00000004,InitializeCriticalSectionEx,00B20D34,00B20D3C,00000000,?,00B0BBBC), ref: 00B16957
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00B1697F

Strings

api-ms-, xrefs: 00B16964

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 063ab4cad0408578957aefc971318741ecf8ee5b517d123eeba19bef0e700822
Instruction ID: 73bedeab8dcf795883717703a43004c8f2d4d341deb24495a8f5dd79f2d06d33
Opcode Fuzzy Hash: 063ab4cad0408578957aefc971318741ecf8ee5b517d123eeba19bef0e700822
Instruction Fuzzy Hash: 99E01230380248B7DF201B60EC46BAD3B99DB54BD1F640460F94CA84E0DB71DC919944

Function 00B13F9E Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(C1C6EE9B,00000000,00000000,?), ref: 00B14001

Part of subcall function 00B0C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00B0D895,?,00000000,-00000008), ref: 00B0C082

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00B14253
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00B14299
GetLastError.KERNEL32 ref: 00B1433C

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 41efb2d68a1f62d1dca26da1fb5c350221c3e25cd35f1e867f1d79298c62966e
Instruction ID: 8174bf464697edb1ef663fc0e438d596defd3aebcde232d6c0a4dbbb754e851f
Opcode Fuzzy Hash: 41efb2d68a1f62d1dca26da1fb5c350221c3e25cd35f1e867f1d79298c62966e
Instruction Fuzzy Hash: 50D169B5D002589FCB15CFA8D880AEDBBF5FF09314F6845AAE525EB351D730A982CB50

Function 00B0B295 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00B0B35C
___AdjustPointer.LIBCMT ref: 00B0B37F
___AdjustPointer.LIBCMT ref: 00B0B41B

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: eaa833b731c61951d14c52b6d8eb7746d4ff787602f2435d26aa09b5d77c7c2b
Instruction ID: f58c401774273951d38b93b19be1933074de1c20b598d0fbcf1f22fe1de15ed7
Opcode Fuzzy Hash: eaa833b731c61951d14c52b6d8eb7746d4ff787602f2435d26aa09b5d77c7c2b
Instruction Fuzzy Hash: 7F51D072A04606AFDB299F50D991FBABBE4EF00710F2441ADF906572E1E731ED80CB94

Function 00AF7220 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00AF72C5
std::_Throw_Cpp_error.LIBCPMT ref: 00AF7395
std::_Throw_Cpp_error.LIBCPMT ref: 00AF73A3
std::_Throw_Cpp_error.LIBCPMT ref: 00AF73B1

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CurrentThread
String ID:
API String ID: 2261580123-0
Opcode ID: bd087d07a01171cf1a957864dd02381b6e6aca886dd0f582fdd0511ed2d61f7a
Instruction ID: 8de56c78e9635646a2d2cba45f0eeec81517da6d987564820373b9cdfa9e4056
Opcode Fuzzy Hash: bd087d07a01171cf1a957864dd02381b6e6aca886dd0f582fdd0511ed2d61f7a
Instruction Fuzzy Hash: 4A41E5B190430DDBDB20EBA4C94177EB7B5BF44320F144639FA568B691EB34E815CB91

Function 00AF4460 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00AF4495
std::_Lockit::_Lockit.LIBCPMT ref: 00AF44B2
std::_Lockit::~_Lockit.LIBCPMT ref: 00AF44D3
std::_Lockit::~_Lockit.LIBCPMT ref: 00AF4580

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: 78026ec207a4d945f411c97a884f8873c20b4b0e0a1e187e3d82c57617ef2249
Instruction ID: 9db9e777e27391c13c4eb054706376460711ea9f576e09f39ea223b15dc6ecbc
Opcode Fuzzy Hash: 78026ec207a4d945f411c97a884f8873c20b4b0e0a1e187e3d82c57617ef2249
Instruction Fuzzy Hash: E14137B1D002198FCB20EF94D944BEEBBB0FB58720F144229EA1967391DB34AD45CFA1

Function 00B11DC6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00B0C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00B0D895,?,00000000,-00000008), ref: 00B0C082

GetLastError.KERNEL32 ref: 00B11E2A
__dosmaperr.LIBCMT ref: 00B11E31
GetLastError.KERNEL32 ref: 00B11E6B
__dosmaperr.LIBCMT ref: 00B11E72

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 3611b00d7870f2a4001ee6326d6ac43c915b019d8c0e427dd1018b5282b6aa4b
Instruction ID: ec369df68fe0c2f9a8ab6a02a2cdc47555baeb6fc662ceea5273cad6659a2ce9
Opcode Fuzzy Hash: 3611b00d7870f2a4001ee6326d6ac43c915b019d8c0e427dd1018b5282b6aa4b
Instruction Fuzzy Hash: DB21DA72604615AFDB20AFA9D8808ABBBEDFF003647508999FE15D7151DB30EC91C790

Function 00B02BA2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20423c122d0d2c336c9d1caac7c71bdcc0b616f92d3e6ba43f774277bbb90b13
Instruction ID: 26f4a5b61b09f78186b1d485c8e6d1a201dbb681b6368dd117f6c098ac7a3220
Opcode Fuzzy Hash: 20423c122d0d2c336c9d1caac7c71bdcc0b616f92d3e6ba43f774277bbb90b13
Instruction Fuzzy Hash: 14219D71604215AFEB31AF658D8996ABFE8FF40364B108599F85A972D1EF30EC4487A0

Function 00B131BE Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00B131C6

Part of subcall function 00B0C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00B0D895,?,00000000,-00000008), ref: 00B0C082

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B131FE
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B1321E

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: ab902e963bb9471cd8577e6129218fbbf5d3bdeeb79dd928eea3b1eaacea04e8
Instruction ID: 2dfd0da7df54c30073660dfca98a006503e803329888f4b18bfe0a4817e787af
Opcode Fuzzy Hash: ab902e963bb9471cd8577e6129218fbbf5d3bdeeb79dd928eea3b1eaacea04e8
Instruction Fuzzy Hash: F711ADB1501115BEA6223BB59C8ACEF6EDCDE86B9475009A4FA0592140FF749F8181B1

Function 00AFE892 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00AFE899
std::_Lockit::_Lockit.LIBCPMT ref: 00AFE8A3
int.LIBCPMT ref: 00AFE8BA

Part of subcall function 00AFC1E5: std::_Lockit::_Lockit.LIBCPMT ref: 00AFC1F6
Part of subcall function 00AFC1E5: std::_Lockit::~_Lockit.LIBCPMT ref: 00AFC210

std::_Lockit::~_Lockit.LIBCPMT ref: 00AFE914

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID:
API String ID: 1383202999-0
Opcode ID: df27f2dd0b30a9a37c1c7987ccf31d860beb2ba97f100569f005c140c625b48c
Instruction ID: 83b94c46283dd77fd0d8d54fd757fffc04beedde8f12ee8e89882086d6e27f8a
Opcode Fuzzy Hash: df27f2dd0b30a9a37c1c7987ccf31d860beb2ba97f100569f005c140c625b48c
Instruction Fuzzy Hash: C911E13280411D9BCB15FBE4CA856BDBBB1AF84720F240119F615AB2A1CF749E41CB91

Function 00B1ADA0 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00B1A2EF,00000000,00000001,00000000,?,?,00B14390,?,00000000,00000000), ref: 00B1ADB7
GetLastError.KERNEL32(?,00B1A2EF,00000000,00000001,00000000,?,?,00B14390,?,00000000,00000000,?,?,?,00B13CD6,00000000), ref: 00B1ADC3

Part of subcall function 00B1AE20: CloseHandle.KERNEL32(FFFFFFFE,00B1ADD3,?,00B1A2EF,00000000,00000001,00000000,?,?,00B14390,?,00000000,00000000,?,?), ref: 00B1AE30

___initconout.LIBCMT ref: 00B1ADD3

Part of subcall function 00B1ADF5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00B1AD91,00B1A2DC,?,?,00B14390,?,00000000,00000000,?), ref: 00B1AE08

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,00B1A2EF,00000000,00000001,00000000,?,?,00B14390,?,00000000,00000000,?), ref: 00B1ADE8

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 59405f7a9e99dd4b2a23f651160082675c92263fa1dd2157e26dcbae97af288a
Instruction ID: 82d4738484fe7afe51e5be0587fe8ee51259ef67b0c214262e96e5037cb98fd7
Opcode Fuzzy Hash: 59405f7a9e99dd4b2a23f651160082675c92263fa1dd2157e26dcbae97af288a
Instruction Fuzzy Hash: EBF01C36501118BBCF322FD5EC089DA3F66FF087B1B504061FA0886130DF329CA1AB91

Function 00B004F5 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00B00507
GetCurrentThreadId.KERNEL32 ref: 00B00516
GetCurrentProcessId.KERNEL32 ref: 00B0051F
QueryPerformanceCounter.KERNEL32(?), ref: 00B0052C

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: f01b7cc8fb23ed2ddc0a33628b6ad7d742efa16a9722243eb1cc368b42f87a85
Instruction ID: d4f5f6be5afdf136459d02cdf2d2e03cb98b71bf611770c7f25c47ed500a6974
Opcode Fuzzy Hash: f01b7cc8fb23ed2ddc0a33628b6ad7d742efa16a9722243eb1cc368b42f87a85
Instruction Fuzzy Hash: 85F06274D1020DEBCB10EFB4DA4999EBBF4FF1C200B9149A5E412E7114EB30AB459B50

Function 00B10976 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B0C16A: GetLastError.KERNEL32(?,?,00B05495,00B28E38,0000000C), ref: 00B0C16E
Part of subcall function 00B0C16A: SetLastError.KERNEL32(00000000), ref: 00B0C210

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,00B05BD5,?,?,?,00000055,?,-00000050,?,?,?), ref: 00B10A35
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,00B05BD5,?,?,?,00000055,?,-00000050,?,?), ref: 00B10A6C

Strings

utf8, xrefs: 00B10B3E

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: utf8
API String ID: 943130320-905460609
Opcode ID: 9fb1461f249107ade5af4acba041a13d5a4a9f00981e12f2206572aa0f26a012
Instruction ID: b1f7e92a562d776646766e8acbec099ed20aaa867c744971a52ffaa09ea44932
Opcode Fuzzy Hash: 9fb1461f249107ade5af4acba041a13d5a4a9f00981e12f2206572aa0f26a012
Instruction Fuzzy Hash: F551C531624305AAE724BB358C82FEB73E8EF45704F9444A9F5499B182F6F0E9C087A5

Function 00AF73E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Concurrency::details::_Release_chore.LIBCPMT ref: 00AF7526
___std_exception_copy.LIBVCRUNTIME ref: 00AF7561

Part of subcall function 00AFAF37: CreateThreadpoolWork.KERNEL32(00AFB060,00AF8A2A,00000000), ref: 00AFAF46
Part of subcall function 00AFAF37: Concurrency::details::_Reschedule_chore.LIBCPMT ref: 00AFAF53

Strings

Fail to schedule the chore!, xrefs: 00AF7551, 00AF7560

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: Concurrency::details::_$CreateRelease_choreReschedule_choreThreadpoolWork___std_exception_copy
String ID: Fail to schedule the chore!
API String ID: 3683891980-3313369819
Opcode ID: 600c7005b64447c82aa9621262215d968ba7c7a3c03ed2c219284c79c76692a1
Instruction ID: 73ff52a3daf08e7b62b5f4a0922dd8c64094a3e29e2be0c086a72bbd444cc7b9
Opcode Fuzzy Hash: 600c7005b64447c82aa9621262215d968ba7c7a3c03ed2c219284c79c76692a1
Instruction Fuzzy Hash: 96519AB19012189FCB11EF94D844BBEBBB1FF08314F144129F919AB391DB75AA05CF91

Function 00B0B992 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00B0B893,?,?,00000000,00000000,00000000,?), ref: 00B0B9B7

Strings

MOC, xrefs: 00B0B9C9
RCC, xrefs: 00B0B9D1

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 087abed8b59688963cd9b3d08035e8d958e9681b1d3944e291175bc4d344c316
Instruction ID: 96cd0183016edc4a0f16059e7cd1a9bc203388d400cbb735f39fd13615491e39
Opcode Fuzzy Hash: 087abed8b59688963cd9b3d08035e8d958e9681b1d3944e291175bc4d344c316
Instruction Fuzzy Hash: FF413672A00209AFCF15DF98CC81EAEBFB5FF48300F198199FA14A72A2D7359950DB51

Function 00AF3E90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00AF3EC6
std::_Lockit::~_Lockit.LIBCPMT ref: 00AF4002

Part of subcall function 00AFABC5: _Yarn.LIBCPMT ref: 00AFABE5
Part of subcall function 00AFABC5: _Yarn.LIBCPMT ref: 00AFAC09

Strings

bad locale name, xrefs: 00AF3F46

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: LockitYarnstd::_$Lockit::_Lockit::~_
String ID: bad locale name
API String ID: 2070049627-1405518554
Opcode ID: 6152fc02cdcbe97f6beff91f9cc8a64603a58e61bc68c96bedbde1fac08921c1
Instruction ID: 9c096a05d6de0f2e5e5c8c19266722ad5fe8dcc05d2c54ab6db24c13c59aa335
Opcode Fuzzy Hash: 6152fc02cdcbe97f6beff91f9cc8a64603a58e61bc68c96bedbde1fac08921c1
Instruction Fuzzy Hash: A541A2F1A007459BEB10DF69C805B6BBBF8BF04714F044628E5499B781E77AE518CBE1

Function 00B0B1FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00B0B475

Strings

csm, xrefs: 00B0B508
csm, xrefs: 00B0B497

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: b6cb4d5900a5348a6578bca989d42c67387b6ba30481f1ffeae96e8f01cf26e9
Instruction ID: 209e286b9d493a7b91bd6e2996598642437c040d599c87671375462c9581f40d
Opcode Fuzzy Hash: b6cb4d5900a5348a6578bca989d42c67387b6ba30481f1ffeae96e8f01cf26e9
Instruction Fuzzy Hash: 5631A172410219EFCF269F50CC51CAA7FA6EB18315B1846DAF9544A2A2C332DEA1DB81

Function 00AFB831 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00AFB8B9
RaiseException.KERNEL32(?,?,?,?,?), ref: 00AFB8DE

Part of subcall function 00B0060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,00AFF354,03284228,?,?,?,00AFF354,00AF3D4A,00B2759C,00AF3D4A), ref: 00B0066D

Part of subcall function 00B08353: IsProcessorFeaturePresent.KERNEL32(00000017,00B0C224), ref: 00B0836F

Strings

csm, xrefs: 00AFB86D

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
String ID: csm
API String ID: 1924019822-1018135373
Opcode ID: c1c2da2a2059d4783a8eb9b6a5df2220ad9a63bab815272fc255f71ee4723034
Instruction ID: 3b8fecba60c3d8539a36efa00792549fa7b9161d9efb8c330ab7d7bde0395762
Opcode Fuzzy Hash: c1c2da2a2059d4783a8eb9b6a5df2220ad9a63bab815272fc255f71ee4723034
Instruction Fuzzy Hash: D9214531E2021CEBCF24DFD9D945ABEB7B9AF84750F180419F606AB250CB70AD45CBA1

Function 00AFB46C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00AF2673

Strings

bad array new length, xrefs: 00AF2626
ios_base::badbit set, xrefs: 00AF2650

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: ___std_exception_copy
String ID: bad array new length$ios_base::badbit set
API String ID: 2659868963-1158432155
Opcode ID: 765a4fe2d852692c95123f1e55a553019cbf64e5e5699beeca7cba333e1c6d14
Instruction ID: 6889cb0736b0b1b90b39c7ef4eb324d1486b110c8dda68201d5ce3dd9e19ad44
Opcode Fuzzy Hash: 765a4fe2d852692c95123f1e55a553019cbf64e5e5699beeca7cba333e1c6d14
Instruction Fuzzy Hash: 9701BCF2614304ABDB04AF28D856B6ABBE4EF08318F4189ACF45DCB341D775E848CB81

Function 00AF2610 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B0060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,00AFF354,03284228,?,?,?,00AFF354,00AF3D4A,00B2759C,00AF3D4A), ref: 00B0066D

___std_exception_copy.LIBVCRUNTIME ref: 00AF2673

Strings

bad array new length, xrefs: 00AF2626
ios_base::badbit set, xrefs: 00AF2650

Memory Dump Source

Source File: 00000000.00000002.1657304798.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000000.00000002.1657287013.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657346854.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657372429.0000000000B2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657388416.0000000000B2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657403649.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657418013.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1657475698.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_af0000_Script.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: bad array new length$ios_base::badbit set
API String ID: 3109751735-1158432155
Opcode ID: d1464c8679519f1ff76141e63537c9345d26f63cba690b9ba3b6dc76a54ba965
Instruction ID: 9b44283b77d0c54e4365400f313406439f681624fd5b71afc6af70cc038d04f9
Opcode Fuzzy Hash: d1464c8679519f1ff76141e63537c9345d26f63cba690b9ba3b6dc76a54ba965
Instruction Fuzzy Hash: C1F0F8F2614310ABD700AF18D84A747BBE4EB59718F418C9CF5989B350D7B5D448CB92

Analysis Process: Script.exePID: 6016, Parent PID: 1344COMMON

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.7%
Total number of Nodes:	76
Total number of Limit Nodes:	6

Executed Functions

Function 0043D970 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00440DBD,?,00000018,?,?,00000018,?,?,?), ref: 0043D99E

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0043DE17 Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

xjg, xrefs: 0043E35B

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID: xjg
API String ID: 2994545307-3915880236
Opcode ID: c849624adef376947a99dc2c636041b848f07be78dc4fa52326f0cd172569b18
Instruction ID: 5ded33b65fbca669af91478c5c49821764fa697413801c9ec5f4f7f5353871f7
Opcode Fuzzy Hash: c849624adef376947a99dc2c636041b848f07be78dc4fa52326f0cd172569b18
Instruction Fuzzy Hash: 52112B7834A2148BD7089F5ADCD157B7361EB5B304F28743DDA96D3391C6389916CB0E

Function 0043DC6A Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bb58d150ac9b161d8541a5c67fe54a2c14cf53bc6573287a5aa386e1286ddae9
Instruction ID: 846741e3d35176ffb6fefe6c9631efcac028a60c789433ed29bd146e87b43e37
Opcode Fuzzy Hash: bb58d150ac9b161d8541a5c67fe54a2c14cf53bc6573287a5aa386e1286ddae9
Instruction Fuzzy Hash: 00415B74758301ABE728DF14FC91F3B73A2E78A300F18E53DE142972D1DA285815C719

Function 00408700 Relevance: 7.6, APIs: 5, Instructions: 81
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408721
GetCurrentThreadId.KERNEL32 ref: 00408727
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408738
GetForegroundWindow.USER32 ref: 004087CC
ExitProcess.KERNEL32 ref: 0040880B

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 4e6b60e15db8346b87a15e97a1c4fea7d725817accabe946b797099010adcc2e
Instruction ID: 7898d610b8b9a67522257c9ee486d783a58c5f04e9cbb592a6b001696d4b01d9
Opcode Fuzzy Hash: 4e6b60e15db8346b87a15e97a1c4fea7d725817accabe946b797099010adcc2e
Instruction Fuzzy Hash: 262164B1A402008BD7143F709E0A71677919F43716F258A3EE8E1BB3E7EA3C4801879E

Function 0040C93F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C951
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C972

Strings

I}, xrefs: 0040C978

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeSecurity
String ID: I}
API String ID: 640775948-454040721
Opcode ID: 24b880f7a0c911c4f3f00a54eb0ea71d99ad2dc1c2ee2158177c278956202a37
Instruction ID: 3746464648809fb258fe21d1e91771d3bac83fe2bb28d0741c317fb80ee58e5f
Opcode Fuzzy Hash: 24b880f7a0c911c4f3f00a54eb0ea71d99ad2dc1c2ee2158177c278956202a37
Instruction Fuzzy Hash: 4FE042787C83117BF6799B54ED57F1432256B86F22F344314B7253D6E58AE03201851C

Function 0043E87C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043E87C
GetForegroundWindow.USER32 ref: 0043E88D

Strings

Hhg, xrefs: 0043E89E

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: ForegroundWindow
String ID: Hhg
API String ID: 2020703349-4281995326
Opcode ID: c73eb67316fab12a850df1827bdb3a0c6f9c170d2b6a60973d365e601d6e8639
Instruction ID: 4f26cf2b5c18bb3a291164ce3ff766b01ce0290b13cab42f3178c452901b16e7
Opcode Fuzzy Hash: c73eb67316fab12a850df1827bdb3a0c6f9c170d2b6a60973d365e601d6e8639
Instruction Fuzzy Hash: 94D05EFCF001415BCA049B62FC3A40B3715F74624BB044439E80683326D539B908898A

Function 00437647 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 0043766A

Strings

YEBC, xrefs: 00437692

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: DefaultLanguageUser
String ID: YEBC
API String ID: 95929093-3431656882
Opcode ID: a46c18300cafc465af0690476a1889a96d3f729e52a61b51f52bf86cdac35057
Instruction ID: 5a5000ae83b20ec24457bd16609dc6f7a0f6320969e90cb5dbcf98a9148123d7
Opcode Fuzzy Hash: a46c18300cafc465af0690476a1889a96d3f729e52a61b51f52bf86cdac35057
Instruction Fuzzy Hash: 0611C176E096548FDB09CF79C9607AD7BF16B6E300F0980ADD48AA7391CE3949048B65

Function 0043D8E0 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,0040B6E1,00000000,00000001), ref: 0043D912

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d38626d37e052fb4f55849f104130760729e14c8b3fa68709f5574a891d1a7e0
Instruction ID: d19f92d431edb0342907fe441d40d09edb07ee05f7232ba1a69438fa291609f6
Opcode Fuzzy Hash: d38626d37e052fb4f55849f104130760729e14c8b3fa68709f5574a891d1a7e0
Instruction Fuzzy Hash: 79F0F6BA814515EBC7003B39BC06A1B36A4EF8B355F0514BAF50552121DB39E801D6EA

Function 0040C8D0 Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C8E3

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 745e886bb64db748b00b1f74c6f76b6f84ba77ccf119b4913f35b528d2d8a7ce
Instruction ID: ba45151629721573d1e867463af21bfb29369c9cc6edaff969acdb11820127f3
Opcode Fuzzy Hash: 745e886bb64db748b00b1f74c6f76b6f84ba77ccf119b4913f35b528d2d8a7ce
Instruction Fuzzy Hash: D3D0A7345946486BD314771CEC47F17375C9343755F400238F262DA2D3DD506910C669

Function 0043BC00 Relevance: 1.5, APIs: 1, Instructions: 15
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?,0042169F,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0043BC20

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 2660612d26db1bcfcbf314a6b6debdb7b7beff9595741d37e950765016bc011c
Instruction ID: 3fb7ea048fe862cd413cd0973453d6f0d943ae68d3a351da8e8434a786bbb282
Opcode Fuzzy Hash: 2660612d26db1bcfcbf314a6b6debdb7b7beff9595741d37e950765016bc011c
Instruction Fuzzy Hash: 05D0C931415122EBCA502F18BC15BCB3B54AF4A361F0B08A2B5046A075C665EC91DAD8

Function 0043BBE0 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,0040876C,?,0040876C), ref: 0043BBF0

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f4cd2198894bee7e8dcce7ff43bfd595e7221b3a6ba3f232ad572940803e431f
Instruction ID: aee00025be20e00b4e0d6da119e4a0732a3eedf8165af1979d285b47108d1b23
Opcode Fuzzy Hash: f4cd2198894bee7e8dcce7ff43bfd595e7221b3a6ba3f232ad572940803e431f
Instruction Fuzzy Hash: 4AC04C31445121ABC5106B15FC09BC67B549F45361F0100A6B104670718661AC828A98

Function 0040CE14 Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

CoUninitialize.COMBASE ref: 0040CE14

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: Uninitialize
String ID:
API String ID: 3861434553-0
Opcode ID: c31203cf4b463ee8f989347fe057b75e8b0d1aa7a919b0c238bc14c9d5ecad1a
Instruction ID: a4135e25266ff1fd5a2181c38c36f71bf0be546164ca6c437b40ae1b38f4b4ab
Opcode Fuzzy Hash: c31203cf4b463ee8f989347fe057b75e8b0d1aa7a919b0c238bc14c9d5ecad1a
Instruction Fuzzy Hash: A3C0127DA6C50087974D8B10DC582B93266A69A70B31C912C950686217D5B05101460C

Non-executed Functions

Function 00433650 Relevance: 31.6, APIs: 2, Strings: 16, Instructions: 146COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00433699
GetSystemMetrics.USER32 ref: 004336A9

Strings

0:C, xrefs: 004338D5
0:C, xrefs: 004338A9
C:C, xrefs: 004338BF
-iI, xrefs: 004337E0
0:C, xrefs: 00433846
0:C, xrefs: 00433867
0:C, xrefs: 00433872
0:C, xrefs: 004338B4
>C, xrefs: 00433888
, xrefs: 00433796
0:C, xrefs: 0043389E
0:C, xrefs: 00433851
0:C, xrefs: 0043383B
?C, xrefs: 00433830
0:C, xrefs: 004338CA
6>C, xrefs: 00433825

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: MetricsSystem
String ID: ?C$ $-iI$0:C$0:C$0:C$0:C$0:C$0:C$0:C$0:C$0:C$0:C$6>C$C:C$>C
API String ID: 4116985748-1116947463
Opcode ID: 4bc9faf0d76279a8d3301667b067c5f9f3de18c8ea4b7e03216d47eb7046d489
Instruction ID: 2ee40eae269c76004da94e207fa193a71e79e8ad67abb3411dcb59d3e89f98e8
Opcode Fuzzy Hash: 4bc9faf0d76279a8d3301667b067c5f9f3de18c8ea4b7e03216d47eb7046d489
Instruction Fuzzy Hash: 39815FB45097808FE360DF28D58879BBBF0BB85708F10892EE5988B350DB759949CF5A

Function 00423171 Relevance: 23.2, APIs: 2, Strings: 11, Instructions: 427COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000), ref: 00423197

Strings

-_xY, xrefs: 00423606
^Y, xrefs: 004234EE
+N, xrefs: 004234D6
+C8M, xrefs: 004235DE
JB, xrefs: 004234DE
W<Q, xrefs: 004235F6
EG, xrefs: 00423330
z{, xrefs: 0042364E
%S#], xrefs: 004235FE
Bc-m, xrefs: 0042361E
]F, xrefs: 004234E6

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: W<Q$%S#]$+C8M$+N$-_xY$Bc-m$JB$]F$^Y$z{$EG
API String ID: 237503144-2404918860
Opcode ID: ca0225884c858be354e5be6055d5bfdbde23eba5d29d939935d38c77754084e0
Instruction ID: 83f4eb1c3b0d8489de9cce998ac4f94859e9427af74067a6139ed9f2857c18bf
Opcode Fuzzy Hash: ca0225884c858be354e5be6055d5bfdbde23eba5d29d939935d38c77754084e0
Instruction Fuzzy Hash: EFD1D9B4208340CFD314DF55E89162BBBE0FF86354F58896DF99A8B351E7388906CB5A

Function 00433440 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 147clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00433450
GetClipboardData.USER32 ref: 0043346B
GlobalLock.KERNEL32 ref: 00433484
GetWindowLongW.USER32 ref: 004334EC
GlobalUnlock.KERNEL32 ref: 00433629
CloseClipboard.USER32 ref: 00433634

Strings

-, xrefs: 00433511
(, xrefs: 0043351B
@, xrefs: 0043353E
+, xrefs: 00433525

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: ($+$-$@
API String ID: 2832541153-3554917468
Opcode ID: b80490c1aa47f4d13cfbb17de41734a2846cacceb130b9eca04d4013d3788c34
Instruction ID: 4833ead9baec935d1e47f7a0176fd7ab4cc90e77a64882814c11484b737bc4f0
Opcode Fuzzy Hash: b80490c1aa47f4d13cfbb17de41734a2846cacceb130b9eca04d4013d3788c34
Instruction Fuzzy Hash: 7A51237150C7848FD300EF78984932FBED19B95325F094A3EE4E5873D1EA78864A935B

Function 0041D9D0 Relevance: 14.6, Strings: 11, Instructions: 896COMMON

Download Yara Rule

Strings

Z[CD, xrefs: 0041DCE0
9?, xrefs: 0041E359
Q$, xrefs: 0041DD00
I, xrefs: 0041DBD9
6Cjz, xrefs: 0041DD94
w, xrefs: 0041DD60
OVK[, xrefs: 0041DCD0
MKYT, xrefs: 0041DCC8
L@EE, xrefs: 0041DCE8
czgw, xrefs: 0041DD18
WCSW, xrefs: 0041DCF8

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: 6Cjz$9?$I$L@EE$MKYT$OVK[$Q$$WCSW$Z[CD$czgw$w
API String ID: 0-629887381
Opcode ID: f70a8035d3e6d300d3a83a7bba1cb06e82199934d555bbc632b95ad55875e646
Instruction ID: f00123da2842d88c2895a34344b646ae639268db71afc8bac51acf6c4a6f6c42
Opcode Fuzzy Hash: f70a8035d3e6d300d3a83a7bba1cb06e82199934d555bbc632b95ad55875e646
Instruction Fuzzy Hash: AA527D7490C3908FC721CF25C8507AFBBE1AF95314F08866EE8E95B392D7398946CB56

Function 00408E50 Relevance: 11.5, Strings: 9, Instructions: 256COMMON

Download Yara Rule

Strings

$_, xrefs: 00408EA3
srb~, xrefs: 00408ECE
|nzc, xrefs: 00408EE6
ndn-, xrefs: 00408EF6
uG[E, xrefs: 00408EFE
-, xrefs: 00408F16
cX?v, xrefs: 00408EEE
q?Ga, xrefs: 00408ED6
vfdk, xrefs: 00408EDE

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: $_$-$cX?v$ndn-$q?Ga$srb~$uG[E$vfdk$|nzc
API String ID: 0-2482235978
Opcode ID: 833e9d7832c33974310b6282963fba8c1f8a1d80212765be31ff528a5ee5e842
Instruction ID: 29f5885c2b097f52bf3417a0236118fd35edc22a81fc5c48a22b5321f092059f
Opcode Fuzzy Hash: 833e9d7832c33974310b6282963fba8c1f8a1d80212765be31ff528a5ee5e842
Instruction Fuzzy Hash: F871066150C3828BD305CB398560767FFE19FE3214F284A6EE4D59B392D7398909875A

Function 004222A2 Relevance: 9.8, Strings: 7, Instructions: 1054COMMON

Download Yara Rule

Strings

v, xrefs: 004224B4
@.B, xrefs: 00422E23
~q, xrefs: 00422734
PE, xrefs: 004222A4
HQ\-, xrefs: 00422406
W_, xrefs: 00422689
lev-tolstoi.com, xrefs: 004227A9

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: @.B$HQ\-$PE$W_$lev-tolstoi.com$v$~q
API String ID: 0-1397386
Opcode ID: ee4427317c00ef0b7453d7870f05bc4b5a334d866f37fc7202a8ec8b326c5475
Instruction ID: 77acf32d1074684472be4293aba1e33b9527bcaf522d8fae9d6ad06f08ee7254
Opcode Fuzzy Hash: ee4427317c00ef0b7453d7870f05bc4b5a334d866f37fc7202a8ec8b326c5475
Instruction Fuzzy Hash: FB725175608351DFD324CF28E89076BB7E2FB8A314F59893CE89587391D7789806CB86

Function 0040DEBE Relevance: 9.6, APIs: 2, Strings: 4, Instructions: 603COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0040DECA
CoUninitialize.OLE32 ref: 0040E2CC

Strings

n, xrefs: 0040E2E1
%()., xrefs: 0040E5FC
~, xrefs: 0040E389
lev-tolstoi.com, xrefs: 0040E2A6, 0040E6A6

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: Uninitialize
String ID: %().$lev-tolstoi.com$n$~
API String ID: 3861434553-1053169509
Opcode ID: f2bbb2c1cbcc91e4ef295ce591337a990f121c3deeedab843836382ded43cda7
Instruction ID: 651897ea68ee6f7069d920b30b59056feb5ed20b7d1bfed893a11183a5c38717
Opcode Fuzzy Hash: f2bbb2c1cbcc91e4ef295ce591337a990f121c3deeedab843836382ded43cda7
Instruction Fuzzy Hash: 1612BCB05083D28BD325CF2A94A07EFBFE0AF92344F284D6DD4C65B242D779454ACB96

Function 00429E35 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 498COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,?), ref: 00429E5A

Strings

a`th, xrefs: 0042A28C
D[, xrefs: 0042A2B4
syjQ, xrefs: 0042A29C
#"! , xrefs: 00429F93

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: #"! $D[$a`th$syjQ
API String ID: 237503144-2004775968
Opcode ID: ce3b0ae0d7cc873eff2019259c4339435468596e76374a7a326c83b864607a0c
Instruction ID: 9c95ed4adec4f6f90933a18f6988ef8cfba51791e001f28754dcd87738f03a5d
Opcode Fuzzy Hash: ce3b0ae0d7cc873eff2019259c4339435468596e76374a7a326c83b864607a0c
Instruction Fuzzy Hash: 0E020174608350DFD3109F28E88176BB7E1AB8A318F444ABDF9C547292D7398D1ACB5A

Function 00426090 Relevance: 9.2, Strings: 7, Instructions: 487COMMON

Download Yara Rule

Strings

/@AF, xrefs: 0042625D
Y D&, xrefs: 00426205
>\1B, xrefs: 00426252
O0v6, xrefs: 004261D9
I<!c, xrefs: 0042626D
#"! , xrefs: 00426533
#"! , xrefs: 004263E7

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: #"! $#"! $/@AF$>\1B$I<!c$O0v6$Y D&
API String ID: 0-445666088
Opcode ID: 8b38be937592f384f77047027845a22031ae8d0e2d36775b7d9bc7324843363d
Instruction ID: 00fe87d95f29aebd86013c07aafa4fc88c760012df1282c019cc5e5b076ddc75
Opcode Fuzzy Hash: 8b38be937592f384f77047027845a22031ae8d0e2d36775b7d9bc7324843363d
Instruction Fuzzy Hash: 32F1FFB460C344DFE7248F24E89072FBBB1FB82304F45486DE6D95B251E738990ACB5A

Function 00423720 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 319COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000), ref: 00423838
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?), ref: 004238C5

Strings

:B, xrefs: 00423AD0
QC, xrefs: 0042392C, 00423940, 00423989
z[B, xrefs: 00423BE8, 00423C15

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: QC$z[B$:B
API String ID: 237503144-2471469230
Opcode ID: 6682a68a48b28a8fa80783c932dc4ffd5b5330e6ad58b4537432524558535710
Instruction ID: e267a624231d1689b5f52eb413fe343a07d4896ee2248a2026ce614f1bdd9114
Opcode Fuzzy Hash: 6682a68a48b28a8fa80783c932dc4ffd5b5330e6ad58b4537432524558535710
Instruction Fuzzy Hash: 63A111B560C3009FE320CF25DC4175BBBE5EB86314F10483DFA959B291D77A990ACB8A

Function 00B11A07 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,00000000,?,?,?,00B113BD,?,00000000), ref: 00B11AA0
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,?,00B113BD,?,00000000), ref: 00B11AC9
GetACP.KERNEL32(?,?,00B113BD,?,00000000), ref: 00B11ADE

Strings

OCP, xrefs: 00B11A5B
ACP, xrefs: 00B11A25

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: e1dca4241c3d5eaef286d6374c9d17b77cba0ffe6cdebe124912082f19f05a7b
Instruction ID: 0cf5f0c1a331a8849716be94f86778f8aa093f759bbae52290697cbfcf7683cf
Opcode Fuzzy Hash: e1dca4241c3d5eaef286d6374c9d17b77cba0ffe6cdebe124912082f19f05a7b
Instruction Fuzzy Hash: DF217422B22500AADB34CB5CC940AD77BEAEF54B54BD688E4EB2AD7104E732DD81C750

Function 00419970 Relevance: 8.2, APIs: 2, Strings: 2, Instructions: 1151COMMON

Download Yara Rule

APIs

Part of subcall function 0043D970: LdrInitializeThunk.NTDLL(00440DBD,?,00000018,?,?,00000018,?,?,?), ref: 0043D99E

FreeLibrary.KERNEL32(?), ref: 00419EC6
FreeLibrary.KERNEL32(?), ref: 00419F2B

Strings

FG, xrefs: 00419C9D
:93;, xrefs: 00419972

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: :93;$FG
API String ID: 764372645-41819261
Opcode ID: 2eaf7582a46c525969526cfa5406cd0bca91fe8112042bf39a3ee629113de21c
Instruction ID: 32231d06f9a10d06a7cfd48649e1b503e42a2300a2bb23f7736d0d1badc55784
Opcode Fuzzy Hash: 2eaf7582a46c525969526cfa5406cd0bca91fe8112042bf39a3ee629113de21c
Instruction Fuzzy Hash: 578226746093409BE7248B24C894BABBBE2EFD5314F28882DE5C547352D739DC96CB4B

Function 00AF1FB0 Relevance: 7.7, APIs: 5, Instructions: 200fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF1240: _strlen.LIBCMT ref: 00AF12BA

GetFileSize.KERNEL32(00000000,00000000), ref: 00AF2046
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00AF206B
CloseHandle.KERNEL32(00000000), ref: 00AF207A
_strlen.LIBCMT ref: 00AF20CD
CloseHandle.KERNEL32(00000000), ref: 00AF21FD

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: CloseFileHandle_strlen$ReadSize
String ID:
API String ID: 1490117831-0
Opcode ID: df3fe8dd94a3948081232812872073e61c4baecbcfe8a0cffe6ff2d64f013aa2
Instruction ID: 433b4deefb5f39aead8af90171d2d82d1cbba4a77c1ea46d00e539ecf708e08c
Opcode Fuzzy Hash: df3fe8dd94a3948081232812872073e61c4baecbcfe8a0cffe6ff2d64f013aa2
Instruction Fuzzy Hash: E471DFB2C002189BCB10DFA4DC44BBEBBB5FF48320F140628F914A7391EB359945CBA5

Function 00B11287 Relevance: 7.7, APIs: 5, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 00B0C16A: GetLastError.KERNEL32(00000000,?,00B0E58D), ref: 00B0C16E
Part of subcall function 00B0C16A: SetLastError.KERNEL32(00000000,?,?,00000028,00B08363), ref: 00B0C210

GetUserDefaultLCID.KERNEL32 ref: 00B1138F
IsValidCodePage.KERNEL32(00000000), ref: 00B113CD
IsValidLocale.KERNEL32(?,00000001), ref: 00B113E0
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00B11428
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00B11443

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: a37e61b2eaf83ec02479f5900d97a0b8acd28a38f10f02b1fa7ba8718af29686
Instruction ID: 9b4d8c6e4a283c9e83ddc239b614860cb5337272944b3da9270151af74c0c45a
Opcode Fuzzy Hash: a37e61b2eaf83ec02479f5900d97a0b8acd28a38f10f02b1fa7ba8718af29686
Instruction Fuzzy Hash: BF518271A00219ABDB20EFA9DC45AFE77F8EF04700F9449A5F614E7194EB709A80CB61

Function 00417E2E Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 538COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,-00000001,00000000,00000000,?), ref: 00418186

Strings

}~, xrefs: 004183CB
}{, xrefs: 004183C3

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: }{$}~
API String ID: 237503144-750507644
Opcode ID: 4523f89c0784cc2d44093adb829dad02dced3539e37ad648681613bc814ba41b
Instruction ID: f2fe4e0d90c10b3acead804b663dae101d32e74fe35640768fe7290a4f66f5e4
Opcode Fuzzy Hash: 4523f89c0784cc2d44093adb829dad02dced3539e37ad648681613bc814ba41b
Instruction Fuzzy Hash: 9D02F7755083228BC720CF29C4906ABB7F1EFD5754F19996EE8C99B360EB388C42C756

Function 0041850C Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 343COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 00418557

Strings

}~, xrefs: 004183CB
}{, xrefs: 004183C3

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: }{$}~
API String ID: 237503144-750507644
Opcode ID: c82bb68f823e83e4dd618c8dc5f9185d6292f0eb0da4844a360e7d355e3ef274
Instruction ID: cdd5dc2489ab5cd6b838cbdd6501a5f5998a665d6a058193ed3c477a99a17239
Opcode Fuzzy Hash: c82bb68f823e83e4dd618c8dc5f9185d6292f0eb0da4844a360e7d355e3ef274
Instruction Fuzzy Hash: 3DA126795083528BC724CF24C8806BBB7F1EF85764F19496EE8C997390EB38C882C756

Function 004239C0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 249COMMON

Download Yara Rule

Strings

:B, xrefs: 00423AD0
QC, xrefs: 0042392C, 00423940, 00423989
z[B, xrefs: 00423BE8, 00423C15

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: QC$z[B$:B
API String ID: 0-2471469230
Opcode ID: 7b3e2799ce009fe4f4aa5e7be6138732dfbcd7886255463f1a74577a9e8e99ed
Instruction ID: 09c64748da38a1aabb966a404f278b2d8b9d2d28b263df5e954f2641f6299216
Opcode Fuzzy Hash: 7b3e2799ce009fe4f4aa5e7be6138732dfbcd7886255463f1a74577a9e8e99ed
Instruction Fuzzy Hash: 9081F2B560C341DFE3208F25EC41B9BB7E4EB86318F10493DFA9897291D7759906CB8A

Function 00423B80 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 215COMMON

Download Yara Rule

Strings

:B, xrefs: 00423AD0
QC, xrefs: 0042392C, 00423940, 00423989
z[B, xrefs: 00423BE8, 00423C15

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: QC$z[B$:B
API String ID: 0-2471469230
Opcode ID: 7fdf529d3daf414f316fcdfe247d0719d1900e7154b92efdb338e2a576acc7ea
Instruction ID: 761431d4f8970111b50bdaf70c7d1dcd9d567b5d8ef7e209b8c7745a99eb3397
Opcode Fuzzy Hash: 7fdf529d3daf414f316fcdfe247d0719d1900e7154b92efdb338e2a576acc7ea
Instruction Fuzzy Hash: 0461AC7560C301EFE710CF24EC41B6AB7E4EB86714F10883EFA98972A1D7759946CB4A

Function 0042DDAB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 132COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 0042DF8F

Strings

HQ_X, xrefs: 0042DE03
DID@, xrefs: 0042DE19
HNZC, xrefs: 0042DE24

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: FreeLibrary
String ID: DID@$HNZC$HQ_X
API String ID: 3664257935-404043411
Opcode ID: 7685dc6bd5cd68a62efe9329fc9df86e9ec86845cd580441f8bd7c73ab6287e6
Instruction ID: 7ed807d424f99c8a286e03362966888a07fba4078fc00c6b3b8880a6c426774b
Opcode Fuzzy Hash: 7685dc6bd5cd68a62efe9329fc9df86e9ec86845cd580441f8bd7c73ab6287e6
Instruction Fuzzy Hash: 37312874A0C3D19BE3228B159C917ABBBD1AFD3301F28446DE0CA2F392C6794406CB5B

Function 00B09CC0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
Instruction ID: bcf8a0de62a1839733e93e5930c64ac83c10babbfb29e6aa1d7b842b7353aa61
Opcode Fuzzy Hash: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
Instruction Fuzzy Hash: 4D022A71E012199BDF14CFA8C8806AEBBF1FF48314F2486A9E519E7381D731AE458B90

Function 00AFF8E9 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00AFF8F5
IsDebuggerPresent.KERNEL32 ref: 00AFF9C1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00AFF9DA
UnhandledExceptionFilter.KERNEL32(?), ref: 00AFF9E4

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 1af10d448588a0a9f72295b435d3d7c41621b598a7b3f779d59d7a077063b077
Instruction ID: 513cf533c271b2f08f8478c1ffa5e52679e1ea4aefe1e11999021127d4916c3e
Opcode Fuzzy Hash: 1af10d448588a0a9f72295b435d3d7c41621b598a7b3f779d59d7a077063b077
Instruction Fuzzy Hash: FF31E775D0121D9ADB21DFA4DD897CDBBB8AF08300F1041AAE50CAB250EB719A858F45

Function 00427BEA Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 480COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 00427C1D

Strings

ji46, xrefs: 00427E70
rYaT, xrefs: 00427E95

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: ji46$rYaT
API String ID: 237503144-3893754386
Opcode ID: c6b49ff5c33d6647c2e9d3b0be8e5527ced851c5ac2a015d1fdc8cac40ecc753
Instruction ID: 1d6d3fc58e1cdd2f9a1d0a9f5f5f22e201e877a9cbb0bada89082f4a02661aba
Opcode Fuzzy Hash: c6b49ff5c33d6647c2e9d3b0be8e5527ced851c5ac2a015d1fdc8cac40ecc753
Instruction Fuzzy Hash: 1E024675A08351CFE3248F28EC9072AB7E1FF8A314F0A46BDE59497291DB349D05CB86

Function 0041BE10 Relevance: 5.6, Strings: 4, Instructions: 636COMMON

Download Yara Rule

Strings

y{, xrefs: 0041C141
A<=2, xrefs: 0041C4F0
(), xrefs: 0041C273
A<=2, xrefs: 0041C4BC

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: ()$A<=2$A<=2$y{
API String ID: 0-1178100939
Opcode ID: 9e9e206cfa33672225498afd348e93b2a8e5dfa22056cfda25c68dc676b454a9
Instruction ID: 371181bf0a0259b305efc9fd451e919c184b3c672a1fdfadf1b92273cbdc7a8a
Opcode Fuzzy Hash: 9e9e206cfa33672225498afd348e93b2a8e5dfa22056cfda25c68dc676b454a9
Instruction Fuzzy Hash: 1D1202B264C3148BD714DF65C8916ABBBF1EFC5314F09892DE4C68B341E7398948CB8A

Function 00417A7E Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 366COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 00417DBF

Strings

`, xrefs: 00417C5C

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: `
API String ID: 237503144-1519715813
Opcode ID: 4e6928aced69292963b1e379d009caef14d352c95422e19dcf829bca08a46556
Instruction ID: a97f7a09b8575a437b6776ba3c157882609dfd03de6747e90ce883758ad12047
Opcode Fuzzy Hash: 4e6928aced69292963b1e379d009caef14d352c95422e19dcf829bca08a46556
Instruction Fuzzy Hash: 89B13A769083218BC324CF24C8916BBB7F1EFD9764F194A2EE4C95B3A0E7748941C786

Function 00428C9B Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 00428CCB

Strings

L, xrefs: 00428D19
qr, xrefs: 00428E94

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: L$qr
API String ID: 237503144-2663492237
Opcode ID: 49150ecf17537569e908602358794222df8f7b1197654b586d29c9d780babd9f
Instruction ID: c7c55dca0bf1ec95fe2b056518e6cbfbd9b03799127961dcc329ddf1f1933f38
Opcode Fuzzy Hash: 49150ecf17537569e908602358794222df8f7b1197654b586d29c9d780babd9f
Instruction Fuzzy Hash: 71610672B5C3258BD718CF39984129FF6E6ABC5314F05893DE485DB281DB78C90A8B86

Function 004090D0 Relevance: 5.5, Strings: 4, Instructions: 464COMMON

Download Yara Rule

Strings

(,.., xrefs: 00409470
h, xrefs: 00409226
]_[, xrefs: 00409128
YT, xrefs: 00409130

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: h$(,..$YT$]_[
API String ID: 0-739460008
Opcode ID: 2c3247610f00ee4376cf5dda08f0336ad92fca5439f1b4266d765d1f2b4ee5ef
Instruction ID: fbc816b77af6502dc3722b079d5cd8fbe4fcf3a52f06b00b1743bac28d25b694
Opcode Fuzzy Hash: 2c3247610f00ee4376cf5dda08f0336ad92fca5439f1b4266d765d1f2b4ee5ef
Instruction Fuzzy Hash: C7D12B7150C3914AC722CF79885026BFFE1AF97204F4889AED8D5AB383C279D906C796

Function 004169C0 Relevance: 5.3, Strings: 4, Instructions: 331COMMON

Download Yara Rule

Strings

L&#1, xrefs: 00416C63
bvlM, xrefs: 00416C31
0, xrefs: 00416CF0
f, xrefs: 00416B81

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID: 0$L&#1$bvlM$f
API String ID: 2994545307-736594754
Opcode ID: ee1d971016d0ff0f8768dfe8df84489fe3f71c7bdd06123f1b9bea99bc5e57f7
Instruction ID: 5cc7e6cacd9f591d95a0c13e4d86516a51b647e6ac8c114382c721e1f4d1b9b6
Opcode Fuzzy Hash: ee1d971016d0ff0f8768dfe8df84489fe3f71c7bdd06123f1b9bea99bc5e57f7
Instruction Fuzzy Hash: 4F911C716083918FD324CF24C8517ABBBE1EB97300F29896ED4D5C7252D639C985CB9A

Function 0040CEDB Relevance: 5.2, Strings: 4, Instructions: 150COMMON

Download Yara Rule

Strings

s|, xrefs: 0040CFA2
D, xrefs: 0040D126
64, xrefs: 0040CEE3
Cu, xrefs: 0040CFAD

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: Cu$D$s|$64
API String ID: 0-114610215
Opcode ID: 01490c322100d9b7c3b806a79fd0647646783b0c950b28c2872a051548989443
Instruction ID: a6b5fbefc84d7a632b6de2f414d5f30cd5c991f5bd21e007442d1bea69d7bd8b
Opcode Fuzzy Hash: 01490c322100d9b7c3b806a79fd0647646783b0c950b28c2872a051548989443
Instruction Fuzzy Hash: 4B5133B05483818FE3208F55C8A576BBBF1FB81748F10591CE6D65B3A0D3BA854ACF86

Function 00427170 Relevance: 5.1, Strings: 4, Instructions: 131COMMON

Download Yara Rule

Strings

'j7h, xrefs: 004278FB
>n<l, xrefs: 004278F0
2v6t, xrefs: 00427906
+r>p, xrefs: 00427911

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: 'j7h$+r>p$2v6t$>n<l
API String ID: 0-1878794915
Opcode ID: 0cecdb7d0033e94eec28665bae0c7c6e7964b8612a6812e026401c746d4bea93
Instruction ID: cdda9073bcce1cb059af731d24d22a82f0e2fc098b3bbd05ad667cf3db6d1031
Opcode Fuzzy Hash: 0cecdb7d0033e94eec28665bae0c7c6e7964b8612a6812e026401c746d4bea93
Instruction Fuzzy Hash: 0251C2B2A083908BD734CF65984279FBBA2EFD0304F55882DD489AB305D7788905CB8B

Function 00427190 Relevance: 4.3, Strings: 3, Instructions: 515COMMON

Download Yara Rule

Strings

#OHI, xrefs: 004271CC
4tB, xrefs: 0042741D
7[%E, xrefs: 004271AE

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: #OHI$4tB$7[%E
API String ID: 0-506438138
Opcode ID: 38f14013febc7e743b5f87fccc87556549bbb9251e63bd7b275b96451770c4f6
Instruction ID: ee96b9713994d2d601df2ffc51cc732191283207dcf0d1d5f2ee743d6ff2f850
Opcode Fuzzy Hash: 38f14013febc7e743b5f87fccc87556549bbb9251e63bd7b275b96451770c4f6
Instruction Fuzzy Hash: 2A025AB1E082658FCB14CF68D8413AEBBB1EF4A304F1580A9D545BB346D738AD46CB99

Function 004260DD Relevance: 4.1, Strings: 3, Instructions: 386COMMON

Download Yara Rule

Strings

dlB, xrefs: 00426C5E
,w|y, xrefs: 00426BD4
q^jd, xrefs: 00426BCC

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: ,w|y$dlB$q^jd
API String ID: 0-1494296930
Opcode ID: 27d87feb3751a718207444974a2fb5cf4cca6e6a036e9ff850eff3f16ede8312
Instruction ID: bf95f5fa37f9375b02c2ec495c70b665b9d1f1399691d10326b7b221676bb7fa
Opcode Fuzzy Hash: 27d87feb3751a718207444974a2fb5cf4cca6e6a036e9ff850eff3f16ede8312
Instruction Fuzzy Hash: 9DC14B32B083648BCB24CE6494412AB7BA2DF96300F59C52EE9C5CB345D63DD946D78A

Function 0042CD97 Relevance: 4.1, Strings: 3, Instructions: 345COMMON

Download Yara Rule

Strings

2&<`, xrefs: 0042D579
-, xrefs: 0042D46B
Vj o, xrefs: 0042D650

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: -$2&<`$Vj o
API String ID: 0-4013841480
Opcode ID: 7b4b29f7f4199076616cc93f2ada63d08554570eeaee276e63067f490119246e
Instruction ID: 1a6a7886547517e8ae2b5dbe149c8a27647e6ecca24e251f3d269ca63540ac96
Opcode Fuzzy Hash: 7b4b29f7f4199076616cc93f2ada63d08554570eeaee276e63067f490119246e
Instruction Fuzzy Hash: 56A1097090C3A28BD339CF28D4617BBBFE09F96314F18496ED4D9973C2D67889058B96

Function 00429CF0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 00429DC9

Strings

]>h<, xrefs: 00429D3A

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: ]>h<
API String ID: 237503144-3030212049
Opcode ID: e9037479c24fdfde963404b65f45ebe6ff4ee913b880207234c185a1e40cea53
Instruction ID: 078f40d5ba68390e6ca3eff5d9c37930aaf4ec8c603ba1d3c0406bbba0adf978
Opcode Fuzzy Hash: e9037479c24fdfde963404b65f45ebe6ff4ee913b880207234c185a1e40cea53
Instruction Fuzzy Hash: 7041DFB114C350CFE304CF65A89166BBBA5FBC6358F10097CE5899B252C7B9D906CB4A

Function 00415216 Relevance: 3.0, Strings: 2, Instructions: 517COMMON

Download Yara Rule

Strings

c`, xrefs: 00415306
$, xrefs: 0041556C

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: $$c`
API String ID: 0-842158197
Opcode ID: 1c3a5eae5739ace6d18648c66650f9a4068653c2f0f5949c226e70ba00c4fedd
Instruction ID: dd3e1522ea5a8850a169a160a75abdf05389fdd475fb2fb88aaea31f10180a33
Opcode Fuzzy Hash: 1c3a5eae5739ace6d18648c66650f9a4068653c2f0f5949c226e70ba00c4fedd
Instruction Fuzzy Hash: 5AF1F275608741CFD7248F24C8827EBB7E1EF96314F14492DE4C987392EB389885CB8A

Function 0041C5C0 Relevance: 2.9, Strings: 2, Instructions: 418COMMON

Download Yara Rule

Strings

~y, xrefs: 0041C89D
a{, xrefs: 0041C885

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: a{$~y
API String ID: 0-3182041098
Opcode ID: 3d454d49985a2a0e3b941ede6320639c585380cceb87bdbe4e8007742991eaa4
Instruction ID: 75bff3c3db158d954bec842596e0cdcced5b236e80de3a33e7ec932c4dc99f6f
Opcode Fuzzy Hash: 3d454d49985a2a0e3b941ede6320639c585380cceb87bdbe4e8007742991eaa4
Instruction Fuzzy Hash: 84B124759483108BC724DF28C89167BB7F1FF86320F18965DE9D69B390E7389845CB8A

Function 00415DC6 Relevance: 2.7, Strings: 2, Instructions: 229COMMON

Download Yara Rule

Strings

gfff, xrefs: 00415F5C
7, xrefs: 00415ED9

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: 7$gfff
API String ID: 0-3777064726
Opcode ID: 94724630c373585018f1faae58bd8aaa8b04e0d45f69a992cda0550e7b3563d6
Instruction ID: 01b21243a20702138b51205bd9c623b69e34be6f8268a7d997fa6d0268599045
Opcode Fuzzy Hash: 94724630c373585018f1faae58bd8aaa8b04e0d45f69a992cda0550e7b3563d6
Instruction Fuzzy Hash: 59613772A147008FD714CB29CC11BAB77E2ABC5324F59C63EE499C7391DB38C8468B86

Function 0041CA31 Relevance: 2.7, Strings: 2, Instructions: 195COMMON

Download Yara Rule

Strings

[U, xrefs: 0041CADD
_8Y, xrefs: 0041CAD5

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: [U$_8Y
API String ID: 0-1769107113
Opcode ID: b0d1fc465a6e0976bbd15fa914788d61173f673717a0b10e5c89f8b790ea59dc
Instruction ID: 9c64b4bc5be12fe9f75fb68bc15c68ddc9596453a12a6dbfc66edc477172d374
Opcode Fuzzy Hash: b0d1fc465a6e0976bbd15fa914788d61173f673717a0b10e5c89f8b790ea59dc
Instruction Fuzzy Hash: 8051FEB164C3508BD7109F28D86276BB7F1EF92718F14496DE8C99B281E33AD942C74A

Function 0041CA48 Relevance: 2.7, Strings: 2, Instructions: 192COMMON

Download Yara Rule

Strings

[U, xrefs: 0041CADD
_8Y, xrefs: 0041CAD5

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: [U$_8Y
API String ID: 0-1769107113
Opcode ID: 50cbfdcee0948dcbdd23f1ae7ac5e781ce55625ed94e819955dcea971a560f28
Instruction ID: 28b5ea908cd200a1f324e1be12f6cae0da75ca6590cd75e649b7e21bd8b1c8c4
Opcode Fuzzy Hash: 50cbfdcee0948dcbdd23f1ae7ac5e781ce55625ed94e819955dcea971a560f28
Instruction Fuzzy Hash: 465111B064C3508BD3109F28D85276BB7F1EF92718F14496DE8C99B281E339D942C74A

Function 00429BB6 Relevance: 2.6, Strings: 2, Instructions: 63COMMON

Download Yara Rule

Strings

#"! , xrefs: 00429843
#"! , xrefs: 00429C06

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: #"! $#"!
API String ID: 0-2193544780
Opcode ID: abed44959698438cb1c661172d06b6868037aba038c331fdbad8c604c70049aa
Instruction ID: cd4cf4d5666f8a53dd6c01a615deffee35ebb6a9d5f7e47654a0f796f435bd57
Opcode Fuzzy Hash: abed44959698438cb1c661172d06b6868037aba038c331fdbad8c604c70049aa
Instruction Fuzzy Hash: 8B118135B582608BD7188F58E89037BB3A1EFD6300F59987EC98977601C6799C06CB8E

Function 0041409E Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

RFA, xrefs: 0041463E

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: RFA
API String ID: 0-931248713
Opcode ID: 1f55cd0348210b3fe034449fa357881ba106396d4009bbabf9f59fb926ecc76f
Instruction ID: d964ecd79129a3e84731010d0bb4c1e5ef2bfb91af8b8152687b304041cbad3a
Opcode Fuzzy Hash: 1f55cd0348210b3fe034449fa357881ba106396d4009bbabf9f59fb926ecc76f
Instruction Fuzzy Hash: 99F104B9A00214EBDB148F94EC41BBF77B1EF8A310F15403AEA41A7392C7799C51CB99

Function 00421B90 Relevance: 1.7, Strings: 1, Instructions: 491COMMON

Download Yara Rule

Strings

XY, xrefs: 00421BBC

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: XY
API String ID: 0-554446067
Opcode ID: 374f0bda3fd705f3d38043ac2b3c4db5797aa2432723f10584d077be981dd17b
Instruction ID: d0a4d8830811aebd93eafad7b07ac1cf8a369ea5002ebfc377116dbfc8cce13c
Opcode Fuzzy Hash: 374f0bda3fd705f3d38043ac2b3c4db5797aa2432723f10584d077be981dd17b
Instruction Fuzzy Hash: 24C188757043205BD7149B25AC92A7BB3E1EFE1324F49843EE89587392E37CD806C35A

Function 0042AED0 Relevance: 1.7, Strings: 1, Instructions: 431COMMON

Download Yara Rule

Strings

", xrefs: 0042B1CA

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 9c5fcf4882b56b762d66e4d232856149ba000610ed3149ece24e5d6c45238d64
Instruction ID: 5d9ed2f4b436a587e8e56cab90cdcb535a8b60cbed088ade6d48d1a0fcd2b2e8
Opcode Fuzzy Hash: 9c5fcf4882b56b762d66e4d232856149ba000610ed3149ece24e5d6c45238d64
Instruction Fuzzy Hash: 0AD10271B083219FC714CE25A88072BB7E6EB84354F58C96EE89987381E738DC05C7DA

Function 0042546B Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

ol, xrefs: 004255E3

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: ol
API String ID: 0-3887614180
Opcode ID: 970f4193b524a2bd122eea626d0cf188bf19dcd07cbc74f263952f0bdaeb968c
Instruction ID: 7aa9c3509c59484caa343586baaaf50edff0654ad2b42a836a170c3a5c19e74a
Opcode Fuzzy Hash: 970f4193b524a2bd122eea626d0cf188bf19dcd07cbc74f263952f0bdaeb968c
Instruction Fuzzy Hash: 1EC1343160C7128BC324DF28D4916AFB3E2EFD5350F98892DE0C687360E7399946DB59

Function 0040AAA0 Relevance: 1.6, Strings: 1, Instructions: 375COMMON

Download Yara Rule

Strings

G, xrefs: 0040AE97

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: 70dc6fffec8001c489d5f64c8bcfb6d1fe1721603c762928a24debc60d885bf5
Instruction ID: f48626985c55fc1fef1f40c4d0008b84fd224a6b25b3f7b9d47bbef1cefa0f56
Opcode Fuzzy Hash: 70dc6fffec8001c489d5f64c8bcfb6d1fe1721603c762928a24debc60d885bf5
Instruction Fuzzy Hash: 44C1177164C3914BD728CE6884912AFFBE2DBC1314F18893EE5E55B3C1D6798806C78B

Function 0042DA08 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

{Ftw, xrefs: 0042DB0D

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: {Ftw
API String ID: 0-1818186142
Opcode ID: dd9fde14b8f54b0dd6a43ef3875e77c449cdeca989125b396de5973d5cfe6629
Instruction ID: 6680c69c0eeb293711a0d3d3ea003c7c29a66e80494f312b60897737a0c123eb
Opcode Fuzzy Hash: dd9fde14b8f54b0dd6a43ef3875e77c449cdeca989125b396de5973d5cfe6629
Instruction Fuzzy Hash: 2C513970A0C3A24BE71DCF3A947077BBFD19B97304F68496DE0D297382D6288509C79A

Function 0042D2BA Relevance: 1.5, Strings: 1, Instructions: 229COMMON

Download Yara Rule

Strings

{Ftw, xrefs: 0042DB0D

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: {Ftw
API String ID: 0-1818186142
Opcode ID: 0bad9244c838ad41c448172ebadc09af827445c4a3a9c5fa16341be90e94a565
Instruction ID: 48203b4cab5f4c61946f97c35fd6d117fdadac71da7f4ae34be9f5cdc948ff22
Opcode Fuzzy Hash: 0bad9244c838ad41c448172ebadc09af827445c4a3a9c5fa16341be90e94a565
Instruction Fuzzy Hash: FB510670A0C3A14BD719CF2A947077BBFD19F97304F58499DE0D25B382D6688909C79B

Function 0042BB6C Relevance: 1.4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

Strings

GI^W, xrefs: 0042BB89

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: GI^W
API String ID: 0-2314976602
Opcode ID: 078e8d5ed1ee9c7da16ea7182450f96849eb6ceb227317bacbd7a954e21526a9
Instruction ID: 49333ae492997b835cdfef2578e7c3a39a981830b4f0cd6284df5a7707cecfee
Opcode Fuzzy Hash: 078e8d5ed1ee9c7da16ea7182450f96849eb6ceb227317bacbd7a954e21526a9
Instruction Fuzzy Hash: 0D416BA460C3E15BE7368B26A4707B77FD0EFA3306F28189DE4DA5B342DB3445058795

Function 00428FD0 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

gd, xrefs: 0042909C

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: gd
API String ID: 0-565856990
Opcode ID: 8047f239ee13dd6487501b28a969fae2f62aed1d507e02169b9812561186ede9
Instruction ID: af4b26260d56ce4a64166c070a8230139eae40b18e7b66fef885e27dcf52e14f
Opcode Fuzzy Hash: 8047f239ee13dd6487501b28a969fae2f62aed1d507e02169b9812561186ede9
Instruction Fuzzy Hash: 7941F1B09083298BD724DF18E85276BB3F0FF91304F048A1DF9858B291F7789A04C78A

Function 00416DA0 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

, xrefs: 00416E85

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7787771548d8a45158bc5e694f080c7a7105c2e4e2551863cc337677b313aa5a
Instruction ID: b827fdf179c660f5feb19dad228a2c4949a63098f5defd2e83e1a35ea0f53e93
Opcode Fuzzy Hash: 7787771548d8a45158bc5e694f080c7a7105c2e4e2551863cc337677b313aa5a
Instruction Fuzzy Hash: 8E31E63810C3818BE7019F2994507BAFBE1ABDB319F190A6EE0C597293CB38C54AC756

Function 00414230 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

FCA, xrefs: 00414340, 004143FA

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID: FCA
API String ID: 2994545307-1373193632
Opcode ID: 71b7fcefdf52ef8995e202577b27809239b2cda1987c324c7d027e2b6ce894c0
Instruction ID: da1c0db9761351975293612de948a7318495de0c6c16e9aad410fb0addf788bd
Opcode Fuzzy Hash: 71b7fcefdf52ef8995e202577b27809239b2cda1987c324c7d027e2b6ce894c0
Instruction Fuzzy Hash: A831A779A412249BCB148F84E880AFFB3B1FF9A310F29113ED59667751C3399C528B9D

Function 0041AD3D Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

0, xrefs: 0041B086

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 8565e1f0c62572a704c669222c54f745b2c78fcf8f9a20e684a60a65c7092e03
Instruction ID: fdca04bf25663439895bf8c196f2c14b852a70202da4179485de109e359b5960
Opcode Fuzzy Hash: 8565e1f0c62572a704c669222c54f745b2c78fcf8f9a20e684a60a65c7092e03
Instruction Fuzzy Hash: 37316D319096A086D7298A2850543FBFBE2DF97311F5894AFE8D15B382D7388946839A

Function 0043E6DB Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

.qg, xrefs: 0043E7CD

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: .qg
API String ID: 0-677383860
Opcode ID: d0fcf37da2aaffefbc289762087ce4023645970da64a562eb37ecee7b3ac715b
Instruction ID: 2478107b85bec5ea04d97e0001281ffabd2b778338291effa5682094572616fe
Opcode Fuzzy Hash: d0fcf37da2aaffefbc289762087ce4023645970da64a562eb37ecee7b3ac715b
Instruction Fuzzy Hash: 6B2122267956014FE3498E6999D22EA77D3D7D6220F08EA3D82D4C3392E12CC80BA705

Function 004289B1 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

MVBY, xrefs: 00428A75

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: MVBY
API String ID: 0-4042508585
Opcode ID: 7755342021dc1e50964d88f504e0e8fbd2111fe185f7baf32a402f5a3ba0da03
Instruction ID: f1107e564cab7bf1d5c90ec0f6b3d94c7bfe2434a4045452f86534282f76f3f2
Opcode Fuzzy Hash: 7755342021dc1e50964d88f504e0e8fbd2111fe185f7baf32a402f5a3ba0da03
Instruction Fuzzy Hash: 0521AD7251C2508ED728EF64C051AAFB6F2BBD2304F51886DC9E997221DA3889049B4A

Function 0041417E Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

D]+\, xrefs: 004141F0

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: D]+\
API String ID: 0-1174097187
Opcode ID: e92174057f0895fe80b8147648d4f663309b5e75682ddf9aa59cc0c358ab6111
Instruction ID: a527843f7c6d39d42a0e76aaa3e64af9da3c8890365244888c69e1cdcc011a12
Opcode Fuzzy Hash: e92174057f0895fe80b8147648d4f663309b5e75682ddf9aa59cc0c358ab6111
Instruction Fuzzy Hash: 8511E375A00124EFCB188F84DC409BEB7B1FF9A310F29012EE59267361C7399881CB98

Function 004297C1 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

#"! , xrefs: 00429843

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID: #"!
API String ID: 2994545307-536574057
Opcode ID: 876cce28b35acd0b57d76d15e59e1240e6ff718f32653bbe4975e84ef24d2d16
Instruction ID: cd1d4fa5a6d5aee14a5a1f3f5b9281daa537880ece2d81d772ce0bad76b54861
Opcode Fuzzy Hash: 876cce28b35acd0b57d76d15e59e1240e6ff718f32653bbe4975e84ef24d2d16
Instruction Fuzzy Hash: 06112674B54130EAD7258F08E8C067B7361EF92304F99442FD98527612C3694C12C79E

Function 00409C3D Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

I^GD, xrefs: 00409C55

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: I^GD
API String ID: 0-1878234970
Opcode ID: 7b086f7fef59a0e027a80dd41fb79afe4a4b12b0e48b4c3565e8162069a0a408
Instruction ID: b89b783b849fb5f800db91fc1152f4c205c8b2509ccc9652bf891b79445c149b
Opcode Fuzzy Hash: 7b086f7fef59a0e027a80dd41fb79afe4a4b12b0e48b4c3565e8162069a0a408
Instruction Fuzzy Hash: E7F0B43050C7C04BEB029B3864216FBB7D0E757324F141E7CC4D6E3283C3389412860A

Function 0043E372 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

}kg, xrefs: 0043E3A2

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID: }kg
API String ID: 0-4139213958
Opcode ID: 2c0e252928e5872d85f37575665bf770b898ed14bee6f7f219f34b7b7ce903ca
Instruction ID: f0e34db99ff4968b15449ff462c62fcfb2f1ded94150262fe49d3d6444fd96e4
Opcode Fuzzy Hash: 2c0e252928e5872d85f37575665bf770b898ed14bee6f7f219f34b7b7ce903ca
Instruction Fuzzy Hash: 1AE092346482C04BE704CB289860467BBF1E78B228F142B2CD992D3791D320D8018B0D

Function 00407540 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7090ea34ac6b12813a2433899341d9b97ba95222487f940e755abaea178f4f5
Instruction ID: 51c1a6252e493b95e3c98cf47f07870d118ac6fb57f8262af15e9862afe7c1b7
Opcode Fuzzy Hash: e7090ea34ac6b12813a2433899341d9b97ba95222487f940e755abaea178f4f5
Instruction Fuzzy Hash: 7F22A131A0C7118BD725DF18D9806ABB3E1BFC4319F19893ED986A7385D738B8518B4B

Function 00439280 Relevance: .5, Instructions: 479COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 10b09c67160d74fe973a114dbc784eb5b8e7304f0297a8d09a9864bc7d4fc489
Instruction ID: 34470fdbb189725afc3e700a8bde0e0ec9e7749f31a553f79f6f092050d3f221
Opcode Fuzzy Hash: 10b09c67160d74fe973a114dbc784eb5b8e7304f0297a8d09a9864bc7d4fc489
Instruction Fuzzy Hash: 01D15C72B083105BD724CF24CC8166BB792EBC9314F1A6A2ED99553381D779EC06C79A

Function 0042E0F0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14f9056f4c5a6b385e09d1041c33ae2c947402bc62dbcc82978c85a89889b36a
Instruction ID: 2abb1c9e4c507df68c196ebff39685f38affc042cff3308c947b34876c897c5a
Opcode Fuzzy Hash: 14f9056f4c5a6b385e09d1041c33ae2c947402bc62dbcc82978c85a89889b36a
Instruction Fuzzy Hash: D022C6F0615B409FD365CF29C891B97BBE8FB4E304F00486EE5AE87351CB7525058BAA

Function 00416600 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dd97d4c33bca4b8e78add7eafd7afc8d6d523fef664b3153f65230c71463556f
Instruction ID: 9c3641cae366a5f8b08393a179bb80b94902b3f4070d17dd0f3f7f14490260ca
Opcode Fuzzy Hash: dd97d4c33bca4b8e78add7eafd7afc8d6d523fef664b3153f65230c71463556f
Instruction Fuzzy Hash: 54B1F774A093009FD7288F14D881B7BB762EFA6328F26652DD1C613252C735DC96CB8E

Function 0043FFB0 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 885c4efbbb9e64159742ab800893ef6f5335e38b3f659857567e771ff2df9372
Instruction ID: 3c80c2fb4178644cd7440de7c3e268878fad8d318a679a30644e484febefd96a
Opcode Fuzzy Hash: 885c4efbbb9e64159742ab800893ef6f5335e38b3f659857567e771ff2df9372
Instruction Fuzzy Hash: 6D9127356042019BD715DF2CC890A2BB3F2FF99710F19856EEA859B3A1DB35DC21C74A

Function 0043FCD0 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2902b0c281ba4d693f2617baec2ccc2622ffe231d38d61a72235831c590aa745
Instruction ID: 568f5669e048fcff2113547bc7cef721230b2bf445ca6562d71aca1d6c9b38f7
Opcode Fuzzy Hash: 2902b0c281ba4d693f2617baec2ccc2622ffe231d38d61a72235831c590aa745
Instruction Fuzzy Hash: A0718B31A042015BD7149F28DC51A3B73A2EF9E750F19953EE88687361DB38E855C78A

Function 00429B82 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 458e749ca59ab89920782cd25cf10f42a6bfba4f8469eec1dbd298ba4cd8845f
Instruction ID: 4ecc5b067d9fa75bd97263e621182eacde3ea01dae41a833ec46b2c37d84569b
Opcode Fuzzy Hash: 458e749ca59ab89920782cd25cf10f42a6bfba4f8469eec1dbd298ba4cd8845f
Instruction Fuzzy Hash: 1E61FCB160C310CBD7149F18D85222BB3F1EF96324F588A6DE4D28B791E3788D45CB9A

Function 00439000 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfab155f09fe73a731e7bcb9fd6d35a467d83da56b015dbbb516beeaed379ed2
Instruction ID: 005ec5068d2ad2a12ab892b5cae41535a95bce5180fc9816dd56f3a7bfb5dab1
Opcode Fuzzy Hash: bfab155f09fe73a731e7bcb9fd6d35a467d83da56b015dbbb516beeaed379ed2
Instruction Fuzzy Hash: DB519575A08304ABE710DF28DC84B7BB7A6EB8A300F15983DF58893241D779DD09D79A

Function 0042A9A0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66005e03aa27836dd650f0e005e5dffc4785e5d69e6775a9d1cdd3b8174d98a4
Instruction ID: 9150d0f941fbdf8258f6ca472fc53c5e8d28733224733d753e598c910154a09b
Opcode Fuzzy Hash: 66005e03aa27836dd650f0e005e5dffc4785e5d69e6775a9d1cdd3b8174d98a4
Instruction Fuzzy Hash: E471E5317087604BC7249E2DA98022BB7D2AF85730F698B1EECF58B3D5D2389C55874B

Function 00439760 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5de5fe10818bd081c045f2f72feef30805de65655a501e456dbeeccb69030bf
Instruction ID: 45821c036e835cf6da8ae56ea9d3604fa588e6dfa63f9076ccedc3b1d8b098a4
Opcode Fuzzy Hash: b5de5fe10818bd081c045f2f72feef30805de65655a501e456dbeeccb69030bf
Instruction Fuzzy Hash: DF4148B2A043045BE718AE14DC40B7BB795EFCA308F15183EF98593251D779EC09879A

Function 0042CB6D Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2309b2129719812af63d8438b1a5ecbc0309b185851f74802701dee54840390b
Instruction ID: 7b0a85920d90c3f6fbfe1a46f9fbd4616777d05728f6bdedd92568305783ed72
Opcode Fuzzy Hash: 2309b2129719812af63d8438b1a5ecbc0309b185851f74802701dee54840390b
Instruction Fuzzy Hash: AD416F216083618BDB29CA3964E127B7B92DF97364F48876DC4D68F3DAC22CC505C39A

Function 00408820 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a9c263ec52d77fd7c2a5088dd199313b2c99a9bdb3e25d913d27fe764585634
Instruction ID: a10a9ace44cc20276a251417395e7061845d4154c0b41375cde5f303133b12a8
Opcode Fuzzy Hash: 5a9c263ec52d77fd7c2a5088dd199313b2c99a9bdb3e25d913d27fe764585634
Instruction Fuzzy Hash: 32410433E119188BEB14CE69DD443DA7393ABD8324F2ACA39DD54EB3C0DD39AD118684

Function 0040D94C Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 93909e7b861c164faacf7429a02c5f49969147d997c4f70fb6adb48fbc3d5ec5
Instruction ID: 06f35b9f8222a1c7a2136048da360587426c84a327200a8c1a6c2b2bf15167cf
Opcode Fuzzy Hash: 93909e7b861c164faacf7429a02c5f49969147d997c4f70fb6adb48fbc3d5ec5
Instruction Fuzzy Hash: 6F21D6B8B086D08BD324CB18D8417AFB7E2ABCA350F18997ED5C5E3385C6749845874A

Function 00416FC1 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: df04eecf348f6ec08b4600dc175a6dbf643bcaa6174dfef0765524edbb6901e5
Instruction ID: 8e7edb28edaa743d1e8a2ca10ff073165bcc5d1f5d1422abfeafcfa1e8691f8d
Opcode Fuzzy Hash: df04eecf348f6ec08b4600dc175a6dbf643bcaa6174dfef0765524edbb6901e5
Instruction Fuzzy Hash: 38113A7514C200ABDB158B14D851EBB7BA6EF49328F15052EE1C613223C33ADDA3CB9E

Function 00417097 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcdc94542ef3b7bfb0eebc177f98e44741ab56a92dbe6d81632f36d099ef8261
Instruction ID: ac4e4c7110d06ab024df55a5fde5a5183d459c2b3bfeb81cb117c0f377f141fc
Opcode Fuzzy Hash: dcdc94542ef3b7bfb0eebc177f98e44741ab56a92dbe6d81632f36d099ef8261
Instruction Fuzzy Hash: 2111B63420C3408BD714CB14D491AABBBA19F8A338F25152ED5CA53212C739DC97CF8E

Function 0040D715 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad94967aac5fbe54075480cd5b3cf2f0b4f335de3101cb2129af245e0c56d82d
Instruction ID: 898019802544eefba0f5fff70ddb6c7d25be2340c2c605c2c39b82dbbc86cf8b
Opcode Fuzzy Hash: ad94967aac5fbe54075480cd5b3cf2f0b4f335de3101cb2129af245e0c56d82d
Instruction Fuzzy Hash: 993185B89193808BE734CF55C851BABB7E2BFC9300F14982ED0C997391D77855098B1A

Function 0041613C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a4e34c78099cd0fb786861c4e9b67c7f0200c22a3c06f4e7790dfb8561bc14d1
Instruction ID: 718830ab9cefd92451f733bafe5385d49c8e0263c7cb65eddacdf53f8aeae9c9
Opcode Fuzzy Hash: a4e34c78099cd0fb786861c4e9b67c7f0200c22a3c06f4e7790dfb8561bc14d1
Instruction Fuzzy Hash: E301FE74708300AFD3208B14D941BA7B7F5ABC6355F15552DD0C893213CA35D891CB5E

Function 00435880 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 5b2b74ac1a3ba5c45c454e7f1da22ae82971d98106045a86a0c66dac7f734a9c
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 1311E533A055D44EC3168D3C8400566BFE30EA7235F69939AF4F89B2D6D6268D8E8359

Function 0042A900 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cbefc0aaaae31065107afbd05f1856c50cdddf71bb63b496adc64cf0b6f71d7
Instruction ID: 152272b00c312c91414574f230f3ba22e0f118dcefba2f606aabb1c3d722775f
Opcode Fuzzy Hash: 0cbefc0aaaae31065107afbd05f1856c50cdddf71bb63b496adc64cf0b6f71d7
Instruction Fuzzy Hash: 1601D8F170071147E7209E53A5C0737B2A86F81718F1A483EDC4867341DB7DEC68C69A

Function 004160AC Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d99286f5bee5299aa67965cd096eea84c8504088a8c3adbbf6937f678f2e6c6e
Instruction ID: 35524161cfba80d1c3cdc7199ce4602e1dee8a575dc7be6b2fece3da34c89176
Opcode Fuzzy Hash: d99286f5bee5299aa67965cd096eea84c8504088a8c3adbbf6937f678f2e6c6e
Instruction Fuzzy Hash: 410149746042109BEB24CB149D51B7B77E1EB8B325F2A183DE1C6A3193C624E8D1C70E

Function 0042BD50 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d2bb327e109cc06b0f5bcee56e9a19d3659d92beffae06204f8a55db50f8f19
Instruction ID: c6917e7f57e7423663601ffabffa0dc2e4be31a6bfb33ddc875298ad7f9c3d88
Opcode Fuzzy Hash: 7d2bb327e109cc06b0f5bcee56e9a19d3659d92beffae06204f8a55db50f8f19
Instruction Fuzzy Hash: 9DF0EC147982960BE318973864B5BFFA7D1D783728F541B3CC1D7D3693E6158803464D

Function 0040BF63 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6810b6d46a952c214fc29e8ff1f8a53579113133959a9dcb001a82a5e45cd878
Instruction ID: fb7f1b7316cbe5b4fc96c526ad714eb641262e3d4644acd51d98e3cb9073cb97
Opcode Fuzzy Hash: 6810b6d46a952c214fc29e8ff1f8a53579113133959a9dcb001a82a5e45cd878
Instruction Fuzzy Hash: F3D05BDEE8180847D69C9721FC1376AB265A39515CB19743E980FD3717D92CD255404D

Function 004322F6 Relevance: 29.9, APIs: 1, Strings: 16, Instructions: 127memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00432300

Strings

d, xrefs: 00432387
P, xrefs: 004323A5
/, xrefs: 0043243B
r, xrefs: 004323C3
*, xrefs: 00432341
*, xrefs: 00432427
n, xrefs: 004323D7
c, xrefs: 004323CD
e, xrefs: 0043241D
*, xrefs: 00432337
0, xrefs: 004324EB
!, xrefs: 00432373
`, xrefs: 00432391
6, xrefs: 00432323
Z, xrefs: 00432431
9, xrefs: 0043235F

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: AllocString
String ID: !$*$*$*$/$0$6$9$P$Z$`$c$d$e$n$r
API String ID: 2525500382-3262402241
Opcode ID: cb4a5adb662cf75e44ad72f0b6ea7189be423dd3c01865b8ebb67128178dc031
Instruction ID: dddf787bba59d8c4edd24aeb07a3b0fdd7e4352279f3d81e3e267e0d9ab3230f
Opcode Fuzzy Hash: cb4a5adb662cf75e44ad72f0b6ea7189be423dd3c01865b8ebb67128178dc031
Instruction Fuzzy Hash: 1F61D32140CBC28AD322C67C884864FFFE15BE7224F184B9DE5F44B3E6C6A58546CB67

Function 00432D03 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 89COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00432D19
VariantInit.OLEAUT32 ref: 00432D2C

Strings

g, xrefs: 00432D77
c, xrefs: 00432D8B
y, xrefs: 00432D59
o, xrefs: 00432D9F
m, xrefs: 00432D95
e, xrefs: 00432D6D
i, xrefs: 00432DA9
k, xrefs: 00432DB3
a, xrefs: 00432D81
{, xrefs: 00432D63

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: Variant$ClearInit
String ID: a$c$e$g$i$k$m$o$y${
API String ID: 2610073882-4285228952
Opcode ID: 09d63eaadca6f4b89d631470797b97cd6c8383af6786a790d5847a1899f96b37
Instruction ID: e40e0d38ba16d3728829d0489d928af8b97e0180d5aeebb0aaa979edfa8964cd
Opcode Fuzzy Hash: 09d63eaadca6f4b89d631470797b97cd6c8383af6786a790d5847a1899f96b37
Instruction Fuzzy Hash: 7041297010C7C18EC3259B3C988824EBFD16B9A328F480B5DF0E98B3D2D6B58545C767

Function 00431C0F Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 87COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00431C19
VariantInit.OLEAUT32 ref: 00431C2C

Strings

e, xrefs: 00431C6D
{, xrefs: 00431C63
y, xrefs: 00431C59
k, xrefs: 00431CB3
a, xrefs: 00431C81
m, xrefs: 00431C95
o, xrefs: 00431C9F
g, xrefs: 00431C77
c, xrefs: 00431C8B
i, xrefs: 00431CA9

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: Variant$ClearInit
String ID: a$c$e$g$i$k$m$o$y${
API String ID: 2610073882-4285228952
Opcode ID: 262b2ab90f2609da02b6e1de10f0e9f2ddd1c22704db85f28f298a0afd4d4ca6
Instruction ID: a0fd58e4d8ccd35e6e9a63c0debc485f416bf03bc3de50930b83af045deb2cf2
Opcode Fuzzy Hash: 262b2ab90f2609da02b6e1de10f0e9f2ddd1c22704db85f28f298a0afd4d4ca6
Instruction Fuzzy Hash: 2141573110C3C18EC3259B38948824BBFD16BE6328F584B5DE4E94B3E2D7B58506C767

Function 00B1AAE2 Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,00B1AACD,?,?,?,?,?,?,?,?,?), ref: 00B1AB88
__alloca_probe_16.LIBCMT ref: 00B1AC43
__alloca_probe_16.LIBCMT ref: 00B1ACD2
__freea.LIBCMT ref: 00B1AD1D
__freea.LIBCMT ref: 00B1AD23
__freea.LIBCMT ref: 00B1AD59
__freea.LIBCMT ref: 00B1AD5F
__freea.LIBCMT ref: 00B1AD6F

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 292373ea4972c0a3802265cb3aa6fd0417a6cb6d62cfcaa53c7d405762a08e74
Instruction ID: 08cc2c60df84699f1d06055ff691d039385af661a5d89ebb50c245d9f439e0ab
Opcode Fuzzy Hash: 292373ea4972c0a3802265cb3aa6fd0417a6cb6d62cfcaa53c7d405762a08e74
Instruction Fuzzy Hash: 8771147290564A6BDF209EA49C81FEF7BFADF45710F9800E5F904A7291E734AC808792

Function 00AFFE29 Relevance: 12.2, APIs: 8, Instructions: 177COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 00AFFE70
__alloca_probe_16.LIBCMT ref: 00AFFE9C
MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 00AFFEDB
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00AFFEF8
LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00AFFF37
__alloca_probe_16.LIBCMT ref: 00AFFF54
LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00AFFF96
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00AFFFB9

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: c00ad9dcf1c1d4ea7115ee6c39af440a0f82382f43338983fbea7ac422ff25c4
Instruction ID: 6a2c0913f178d73383f6674e1b502336b212490950b65186f4d4dd406cc2876b
Opcode Fuzzy Hash: c00ad9dcf1c1d4ea7115ee6c39af440a0f82382f43338983fbea7ac422ff25c4
Instruction Fuzzy Hash: 69518B7260021EAFEB205FA0CC45FBA7BB9EF41790F254439FA15EA1A0DB718D11CB60

Function 00B0EE76 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00B0EEFC

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
Instruction ID: b6c039fbda78fe0b138a1679667b06aa35cb1c57f8e218944b4a51c4e397efd6
Opcode Fuzzy Hash: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
Instruction Fuzzy Hash: A7B14572A04356AFEB218F24CC81BBEBFE5EF55310F1481E5E954AB2C2E674D941C7A0

Function 00B00D40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00B00D77
___except_validate_context_record.LIBVCRUNTIME ref: 00B00D7F
_ValidateLocalCookies.LIBCMT ref: 00B00E08
__IsNonwritableInCurrentImage.LIBCMT ref: 00B00E33
_ValidateLocalCookies.LIBCMT ref: 00B00E88

Strings

csm, xrefs: 00B00E1D

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: c7db97aaca7ad4c4b895707f3fb29757684f10c7cee78c141011fd1efeee7892
Instruction ID: 9fb7d4e521b9d0155c589fb3ec49b1862bba151fa6e03e7860b93c6bec84b930
Opcode Fuzzy Hash: c7db97aaca7ad4c4b895707f3fb29757684f10c7cee78c141011fd1efeee7892
Instruction Fuzzy Hash: 09419130E102189BCF10EF68C884B9EBFE5EF45314F1489E5E9156B2D2DB31A955CB91

Function 00AF24B0 Relevance: 10.6, APIs: 7, Instructions: 83threadCOMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNEL32 ref: 00AF24DD
ShowWindow.USER32(00000000,00000000), ref: 00AF24E6
GetCurrentThreadId.KERNEL32 ref: 00AF2524

Part of subcall function 00AFF11D: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,00AF253A,?,?,00000000), ref: 00AFF129
Part of subcall function 00AFF11D: GetExitCodeThread.KERNEL32(?,00000000,?,?,00AF253A,?,?,00000000), ref: 00AFF142
Part of subcall function 00AFF11D: CloseHandle.KERNEL32(?,?,?,00AF253A,?,?,00000000), ref: 00AFF154

std::_Throw_Cpp_error.LIBCPMT ref: 00AF2567
std::_Throw_Cpp_error.LIBCPMT ref: 00AF2578
std::_Throw_Cpp_error.LIBCPMT ref: 00AF2589
std::_Throw_Cpp_error.LIBCPMT ref: 00AF259A

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ThreadWindow$CloseCodeConsoleCurrentExitHandleObjectShowSingleWait
String ID:
API String ID: 3956949563-0
Opcode ID: 09a76226f8ac336fe21ca50960cf931aac3b685401566d746c272c019ba4422c
Instruction ID: 765b3cc732a2559fb98e787b6d8249da13600e82bc4074acced723e5397f7af8
Opcode Fuzzy Hash: 09a76226f8ac336fe21ca50960cf931aac3b685401566d746c272c019ba4422c
Instruction Fuzzy Hash: 0F2167F1D4021D9BDF10AFD4DD06BEE7AB4AF04710F080165F6087B291E7B5A514CBA5

Function 00B0CF0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,?,?,?,BB40E64E,?,00B0D01A,00AF1170,00AFAA08,?,?), ref: 00B0CFCC

Strings

api-ms-, xrefs: 00B0CF62
ext-ms-, xrefs: 00B0CF76

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 5747248309f45e620ae1bfb00086e07b83364e2bd3d28205a02aee182c65fbf8
Instruction ID: f128b98ebb6eb0e6a78309852128c470cf476331e6c2284fa2e67f3a46d44b0d
Opcode Fuzzy Hash: 5747248309f45e620ae1bfb00086e07b83364e2bd3d28205a02aee182c65fbf8
Instruction Fuzzy Hash: D821E731B41312ABC731AB65EC80A5A7FEADB517A0F2503A1F949A72D0DF70ED09C6D1

Function 00B00080 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00B00086
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00B00094
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00B000A5

Strings

GetTempPath2W, xrefs: 00B0009A
kernel32.dll, xrefs: 00B00081
GetSystemTimePreciseAsFileTime, xrefs: 00B0008E

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1047828073
Opcode ID: 46ddb9a949e7fa35ad87ecc706faf9ddd9696020f51fe70fd15999d74cc4167f
Instruction ID: 3aee59c75296ca079aed6affb38d14d7183b6e2fdb156a81569069dca59e72e7
Opcode Fuzzy Hash: 46ddb9a949e7fa35ad87ecc706faf9ddd9696020f51fe70fd15999d74cc4167f
Instruction Fuzzy Hash: F4D09271546220AB8331AFB8BD4988A3FE9FA09B113014192F949D3264DFB885538A94

Function 00B14F81 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0a5ba8c3fd713a0202b797cecfe9419c89fbdab153f57ee0dc100b8b108128
Instruction ID: 0fce3004f6e8082211060636c914b8303d972534ed5f500007b4c31f60e1d0da
Opcode Fuzzy Hash: 5e0a5ba8c3fd713a0202b797cecfe9419c89fbdab153f57ee0dc100b8b108128
Instruction Fuzzy Hash: 8BB1D371E04A49EFDB21DFA8D880BEDBBF1EF85304F5441D9E51197291CB71A981CBA0

Function 00AF9B30 Relevance: 9.1, APIs: 6, Instructions: 125COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 00AF9C97
std::_Throw_Cpp_error.LIBCPMT ref: 00AF9CA8
std::_Throw_Cpp_error.LIBCPMT ref: 00AF9CBC
std::_Throw_Cpp_error.LIBCPMT ref: 00AF9CDD
std::_Throw_Cpp_error.LIBCPMT ref: 00AF9CEE
std::_Throw_Cpp_error.LIBCPMT ref: 00AF9D06

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: Cpp_errorThrow_std::_
String ID:
API String ID: 2134207285-0
Opcode ID: e6237ee9c22d16a9f5105c24c651196e7f45dd025fdbbc34c5cb3a3db8109e4d
Instruction ID: 6bdf29fae570235d1682402082cf6389c95e6632e775cb1128b50bf74d715375
Opcode Fuzzy Hash: e6237ee9c22d16a9f5105c24c651196e7f45dd025fdbbc34c5cb3a3db8109e4d
Instruction Fuzzy Hash: 3B41B2B1900748CFDB309BA48A417BBB7F8AF45324F18062DF76A562E2D7716505CB62

Function 00B0ACE7 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B0ACDE,00B00760,00AFB77F,BB40E64E,?,?,?,?,00B1BFCA,000000FF), ref: 00B0ACF5
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B0AD03
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B0AD1C
SetLastError.KERNEL32(00000000,?,00B0ACDE,00B00760,00AFB77F,BB40E64E,?,?,?,?,00B1BFCA,000000FF), ref: 00B0AD6E

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0991a6165c623d95df2752f446314cbd05f21d4b7ee80df87353de1524c182d9
Instruction ID: 87488e8f5757099b1201625938fd0af79e1fdc5ee86316f89adca647dffee3b7
Opcode Fuzzy Hash: 0991a6165c623d95df2752f446314cbd05f21d4b7ee80df87353de1524c182d9
Instruction Fuzzy Hash: 5C01BC7220A715AEE7342A747C8986A3FC8EB01B7676007BAF620565E0EF154C83A281

Function 00B0B56E Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00B0B68D
CallUnexpected.LIBVCRUNTIME ref: 00B0B906

Strings

csm, xrefs: 00B0B6C4
csm, xrefs: 00B0B5AB
csm, xrefs: 00B0B618

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: f0c0108c6737958f0afea1650087c89081a06578856cfd6ef490eb0c9ca9c814
Instruction ID: e9daf76a2b9dcec6e9aee3efdd61742e8bba7553793f04ef3fc6074ad9551c80
Opcode Fuzzy Hash: f0c0108c6737958f0afea1650087c89081a06578856cfd6ef490eb0c9ca9c814
Instruction Fuzzy Hash: DAB12571800209EFCF29DFA4C881DAEBBF9EF54310F15859AE8116B292D731DA61DB91

Function 00AFBE95 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

std::_Ref_count_base::_Decref.LIBCPMT ref: 00AFBF44
std::_Ref_count_base::_Decref.LIBCPMT ref: 00AFC028

Strings

MOC, xrefs: 00AFBE9F
RCC, xrefs: 00AFBEAB
csm, xrefs: 00AFBEB7

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: DecrefRef_count_base::_std::_
String ID: MOC$RCC$csm
API String ID: 1456557076-2671469338
Opcode ID: 322572af133e91acdbcbfaa97ea98876d6f146c3e1762e029eaf94632aedae60
Instruction ID: 25b3e30a9bd5bfaea646506356960313a61b3eb8db46d6b1df132c5c961699fb
Opcode Fuzzy Hash: 322572af133e91acdbcbfaa97ea98876d6f146c3e1762e029eaf94632aedae60
Instruction Fuzzy Hash: AE41AD7491020DDFCF28DFA8CA459BEB7B5AF48300B58809DF649A7652C734EA05CB61

Function 00B055C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,00B1BE94,000000FF,?,00B05685,00B0556C,?,00B05721,00000000), ref: 00B055F9
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B0560B
FreeLibrary.KERNEL32(00000000,?,?,00000000,00B1BE94,000000FF,?,00B05685,00B0556C,?,00B05721,00000000), ref: 00B0562D

Strings

CorExitProcess, xrefs: 00B05603
mscoree.dll, xrefs: 00B055F2

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f1aba4b92928caa60985aa55f5cdf5bc42e94752c03eb207079b099ef36def44
Instruction ID: e2766b9db8d6e9a5233a61ff166348a18a552fa6db151bead0f42ac132b6d7bd
Opcode Fuzzy Hash: f1aba4b92928caa60985aa55f5cdf5bc42e94752c03eb207079b099ef36def44
Instruction Fuzzy Hash: 6A018631A44A69EFDB229F54DC09FAEBBF8FB04B15F000965F811A36E0DF759905CA90

Function 00B0D6EA Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00B0D76F
__alloca_probe_16.LIBCMT ref: 00B0D838
__freea.LIBCMT ref: 00B0D89F

Part of subcall function 00B0BF11: HeapAlloc.KERNEL32(00000000,00000018,00000000,?,00AFA67D,00000018,?,00AF3D4A,00000018,00000000), ref: 00B0BF43

__freea.LIBCMT ref: 00B0D8B2
__freea.LIBCMT ref: 00B0D8BF

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 314719ca52a31c40a02d6eb090a0fa51b2ea9a863254c3039a1af985fd6b7b07
Instruction ID: 773937191fed03f376c64c8a222a8f000d73da2024b6b9f5b8f3140edae1914d
Opcode Fuzzy Hash: 314719ca52a31c40a02d6eb090a0fa51b2ea9a863254c3039a1af985fd6b7b07
Instruction Fuzzy Hash: F4518F7260030AAFEB215FA4CC85EBB7EE9EF44760B1546A9FD04D72D1EB70DC1096A0

Function 00AFEFF1 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00AFF005
AcquireSRWLockExclusive.KERNEL32(00AF8E38), ref: 00AFF024
AcquireSRWLockExclusive.KERNEL32(00AF8E38,00AFA2F0,?), ref: 00AFF052
TryAcquireSRWLockExclusive.KERNEL32(00AF8E38,00AFA2F0,?), ref: 00AFF0AD
TryAcquireSRWLockExclusive.KERNEL32(00AF8E38,00AFA2F0,?), ref: 00AFF0C4

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: aef4d41f44eb33fc0cb5177dcfe8d33473bdc054a8751b9e9b70fcf5c0db6adf
Instruction ID: 3e1163e2c1fc78e9b43b12830b5257f5d1b9a5a2d2d3e700903ed1fe8b4fda39
Opcode Fuzzy Hash: aef4d41f44eb33fc0cb5177dcfe8d33473bdc054a8751b9e9b70fcf5c0db6adf
Instruction Fuzzy Hash: 9841377150060EDFCB20DFA5C5819BAB3B5FF04311B104A3AF696D7652EB30E985CB55

Function 00AF3C70 Relevance: 7.6, APIs: 5, Instructions: 111COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00AF3CA5
std::_Lockit::_Lockit.LIBCPMT ref: 00AF3CBF
std::_Lockit::~_Lockit.LIBCPMT ref: 00AF3CE0
__Getctype.LIBCPMT ref: 00AF3D92
std::_Lockit::~_Lockit.LIBCPMT ref: 00AF3DD8

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Getctype
String ID:
API String ID: 3087743877-0
Opcode ID: 816a32a021540f577b66813101cd3609e7a899cb2b36a5221f9c1d06290f24d2
Instruction ID: 758f4d800d22f6f241cb9c28426fdb0938c99770ec24e774937fed34929f8c4f
Opcode Fuzzy Hash: 816a32a021540f577b66813101cd3609e7a899cb2b36a5221f9c1d06290f24d2
Instruction Fuzzy Hash: 66415CB2D002188FCB20DF94D944BAEBBB1FF58720F148529E9196B391DB34AD45CF91

Function 00AFD4C2 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00AFD4C9
std::_Lockit::_Lockit.LIBCPMT ref: 00AFD4D3
int.LIBCPMT ref: 00AFD4EA

Part of subcall function 00AFC1E5: std::_Lockit::_Lockit.LIBCPMT ref: 00AFC1F6
Part of subcall function 00AFC1E5: std::_Lockit::~_Lockit.LIBCPMT ref: 00AFC210

codecvt.LIBCPMT ref: 00AFD50D
std::_Lockit::~_Lockit.LIBCPMT ref: 00AFD544

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
String ID:
API String ID: 3716348337-0
Opcode ID: 11a77e1584597c46cb72c105a33eea7cb939cb09e7bb2fd0daa81a06be1f5d66
Instruction ID: a31e61a6f09a682adaa7db5882f36b081e352c4f40300097b27eb5372cd0677c
Opcode Fuzzy Hash: 11a77e1584597c46cb72c105a33eea7cb939cb09e7bb2fd0daa81a06be1f5d66
Instruction Fuzzy Hash: D301C47290011D9FCF16EBE4CA55AFDBBB6AF84324F144509F619AB281CF749E01C781

Function 00AFADD7 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00AFADDE
std::_Lockit::_Lockit.LIBCPMT ref: 00AFADE9
std::_Lockit::~_Lockit.LIBCPMT ref: 00AFAE57

Part of subcall function 00AFACAA: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00AFACC2

std::locale::_Setgloballocale.LIBCPMT ref: 00AFAE04
_Yarn.LIBCPMT ref: 00AFAE1A

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 7208536c46aecdbd874202833c5a2ba54be9fc991ae4a782b0366a5ac5d1d8e2
Instruction ID: 620aadc4d634dd0c5db772a5662d2c1c6bf9b3dea3f77917d1cd368d97b895c1
Opcode Fuzzy Hash: 7208536c46aecdbd874202833c5a2ba54be9fc991ae4a782b0366a5ac5d1d8e2
Instruction Fuzzy Hash: EB01B1B56002249FCB05FBA0D9519BD7BA1FF98750B040019FA0A57391CF345E83CB82

Function 00AF1750 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 390COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00AF1783

Strings

ios_base::eofbit set, xrefs: 00AF1BEA
ios_base::badbit set, xrefs: 00AF1BFA, 00AF1C20
ios_base::failbit set, xrefs: 00AF1BEF

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: _strlen
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 4218353326-1866435925
Opcode ID: 8071a40db3cccc4a67e042650394503a84384e7a137e3acbd1d5d2f585579bc6
Instruction ID: b8671ed244a5bc96b6b9f0ce84f9403831f5b69a8f7d56841a463b05a4cdb74e
Opcode Fuzzy Hash: 8071a40db3cccc4a67e042650394503a84384e7a137e3acbd1d5d2f585579bc6
Instruction Fuzzy Hash: 61F16E75A00218CFCB14DFA8C494BADBBF1FF88324F1942A9E915AB391D775AD41CB90

Function 0042838E Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 0042846B

Strings

G, xrefs: 004283C6
F_, xrefs: 004283CE
rE, xrefs: 004283D6

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: F_$G$rE
API String ID: 237503144-660961108
Opcode ID: f1ce4c99dfae7e1fa712e5bb761be120e16775f2929245c226ba3b30bfe50682
Instruction ID: 5bd656ceda4e220c54c027ba9d4c0afb54d02fb5a392a4f5fdf64161cfeee483
Opcode Fuzzy Hash: f1ce4c99dfae7e1fa712e5bb761be120e16775f2929245c226ba3b30bfe50682
Instruction Fuzzy Hash: 6231ABB520D3508FD328CF65D99175FBBE2EBC5718F088A2CE5964B381C7B498068B4A

Function 00AFB755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73COMMON

Download Yara Rule

APIs

std::_Ref_count_base::_Decref.LIBCPMT ref: 00AFB809

Strings

MOC, xrefs: 00AFB789
csm, xrefs: 00AFB7A1
RCC, xrefs: 00AFB795

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: DecrefRef_count_base::_std::_
String ID: MOC$RCC$csm
API String ID: 1456557076-2671469338
Opcode ID: dc88745878b54296d4c220863200661694cb63abd7d0f6426f26286a67af9d1b
Instruction ID: 9e9346141ce869bfd7f555f98d6600ec25419819e81ec5221f706b975eb9fc43
Opcode Fuzzy Hash: dc88745878b54296d4c220863200661694cb63abd7d0f6426f26286a67af9d1b
Instruction Fuzzy Hash: B121FF3582120DDFCB24AFE4C841ABAB7BCEF84360F14455EF61197690DB34AA41CAA0

Function 00B16940 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00B169DC,00000000,?,00B2D2B0,?,?,?,00B16913,00000004,InitializeCriticalSectionEx,00B20D34,00B20D3C), ref: 00B1694D
GetLastError.KERNEL32(?,00B169DC,00000000,?,00B2D2B0,?,?,?,00B16913,00000004,InitializeCriticalSectionEx,00B20D34,00B20D3C,00000000,?,00B0BBBC), ref: 00B16957
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00B1697F

Strings

api-ms-, xrefs: 00B16964

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 063ab4cad0408578957aefc971318741ecf8ee5b517d123eeba19bef0e700822
Instruction ID: 73bedeab8dcf795883717703a43004c8f2d4d341deb24495a8f5dd79f2d06d33
Opcode Fuzzy Hash: 063ab4cad0408578957aefc971318741ecf8ee5b517d123eeba19bef0e700822
Instruction Fuzzy Hash: 99E01230380248B7DF201B60EC46BAD3B99DB54BD1F640460F94CA84E0DB71DC919944

Function 00B13F9E Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 00B14001

Part of subcall function 00B0C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00B0D895,?,00000000,-00000008), ref: 00B0C082

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00B14253
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00B14299
GetLastError.KERNEL32 ref: 00B1433C

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 41efb2d68a1f62d1dca26da1fb5c350221c3e25cd35f1e867f1d79298c62966e
Instruction ID: 8174bf464697edb1ef663fc0e438d596defd3aebcde232d6c0a4dbbb754e851f
Opcode Fuzzy Hash: 41efb2d68a1f62d1dca26da1fb5c350221c3e25cd35f1e867f1d79298c62966e
Instruction Fuzzy Hash: 50D169B5D002589FCB15CFA8D880AEDBBF5FF09314F6845AAE525EB351D730A982CB50

Function 00B0B295 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00B0B35C
___AdjustPointer.LIBCMT ref: 00B0B37F
___AdjustPointer.LIBCMT ref: 00B0B41B

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: a175c6b2012d1d8bc90afee1cbaeae5cdde310a0edaf6a3b7c8d0b6c77a9d780
Instruction ID: f58c401774273951d38b93b19be1933074de1c20b598d0fbcf1f22fe1de15ed7
Opcode Fuzzy Hash: a175c6b2012d1d8bc90afee1cbaeae5cdde310a0edaf6a3b7c8d0b6c77a9d780
Instruction Fuzzy Hash: 7F51D072A04606AFDB299F50D991FBABBE4EF00710F2441ADF906572E1E731ED80CB94

Function 00AF7220 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00AF72C5
std::_Throw_Cpp_error.LIBCPMT ref: 00AF7395
std::_Throw_Cpp_error.LIBCPMT ref: 00AF73A3
std::_Throw_Cpp_error.LIBCPMT ref: 00AF73B1

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CurrentThread
String ID:
API String ID: 2261580123-0
Opcode ID: bd087d07a01171cf1a957864dd02381b6e6aca886dd0f582fdd0511ed2d61f7a
Instruction ID: 8de56c78e9635646a2d2cba45f0eeec81517da6d987564820373b9cdfa9e4056
Opcode Fuzzy Hash: bd087d07a01171cf1a957864dd02381b6e6aca886dd0f582fdd0511ed2d61f7a
Instruction Fuzzy Hash: 4A41E5B190430DDBDB20EBA4C94177EB7B5BF44320F144639FA568B691EB34E815CB91

Function 00B11DC6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00B0C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00B0D895,?,00000000,-00000008), ref: 00B0C082

GetLastError.KERNEL32 ref: 00B11E2A
__dosmaperr.LIBCMT ref: 00B11E31
GetLastError.KERNEL32 ref: 00B11E6B
__dosmaperr.LIBCMT ref: 00B11E72

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: de66dbea359a6fbd597b07b89e77d97c299a414e050104f5f781cf898fcb1b02
Instruction ID: ec369df68fe0c2f9a8ab6a02a2cdc47555baeb6fc662ceea5273cad6659a2ce9
Opcode Fuzzy Hash: de66dbea359a6fbd597b07b89e77d97c299a414e050104f5f781cf898fcb1b02
Instruction Fuzzy Hash: DB21DA72604615AFDB20AFA9D8808ABBBEDFF003647508999FE15D7151DB30EC91C790

Function 00B02BA2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f35e0816e392163fdda5f67e9d1df99fa233976628dea6cff61ae211fcb823a
Instruction ID: 26f4a5b61b09f78186b1d485c8e6d1a201dbb681b6368dd117f6c098ac7a3220
Opcode Fuzzy Hash: 7f35e0816e392163fdda5f67e9d1df99fa233976628dea6cff61ae211fcb823a
Instruction Fuzzy Hash: 14219D71604215AFEB31AF658D8996ABFE8FF40364B108599F85A972D1EF30EC4487A0

Function 00B131BE Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00B131C6

Part of subcall function 00B0C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00B0D895,?,00000000,-00000008), ref: 00B0C082

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B131FE
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B1321E

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: aed3f583f2edc55eaa6a9cd207a6054a7687320e04c786bb3dcbb23996d66cc5
Instruction ID: 2dfd0da7df54c30073660dfca98a006503e803329888f4b18bfe0a4817e787af
Opcode Fuzzy Hash: aed3f583f2edc55eaa6a9cd207a6054a7687320e04c786bb3dcbb23996d66cc5
Instruction Fuzzy Hash: F711ADB1501115BEA6223BB59C8ACEF6EDCDE86B9475009A4FA0592140FF749F8181B1

Function 00B1ADA0 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00B1A2EF,00000000,00000001,00000000,?,?,00B14390,?,00000000,00000000), ref: 00B1ADB7
GetLastError.KERNEL32(?,00B1A2EF,00000000,00000001,00000000,?,?,00B14390,?,00000000,00000000,?,?,?,00B13CD6,00000000), ref: 00B1ADC3

Part of subcall function 00B1AE20: CloseHandle.KERNEL32(FFFFFFFE,00B1ADD3,?,00B1A2EF,00000000,00000001,00000000,?,?,00B14390,?,00000000,00000000,?,?), ref: 00B1AE30

___initconout.LIBCMT ref: 00B1ADD3

Part of subcall function 00B1ADF5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00B1AD91,00B1A2DC,?,?,00B14390,?,00000000,00000000,?), ref: 00B1AE08

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,00B1A2EF,00000000,00000001,00000000,?,?,00B14390,?,00000000,00000000,?), ref: 00B1ADE8

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 59405f7a9e99dd4b2a23f651160082675c92263fa1dd2157e26dcbae97af288a
Instruction ID: 82d4738484fe7afe51e5be0587fe8ee51259ef67b0c214262e96e5037cb98fd7
Opcode Fuzzy Hash: 59405f7a9e99dd4b2a23f651160082675c92263fa1dd2157e26dcbae97af288a
Instruction Fuzzy Hash: EBF01C36501118BBCF322FD5EC089DA3F66FF087B1B504061FA0886130DF329CA1AB91

Function 00B004F5 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00B00507
GetCurrentThreadId.KERNEL32 ref: 00B00516
GetCurrentProcessId.KERNEL32 ref: 00B0051F
QueryPerformanceCounter.KERNEL32(?), ref: 00B0052C

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: f01b7cc8fb23ed2ddc0a33628b6ad7d742efa16a9722243eb1cc368b42f87a85
Instruction ID: d4f5f6be5afdf136459d02cdf2d2e03cb98b71bf611770c7f25c47ed500a6974
Opcode Fuzzy Hash: f01b7cc8fb23ed2ddc0a33628b6ad7d742efa16a9722243eb1cc368b42f87a85
Instruction Fuzzy Hash: 85F06274D1020DEBCB10EFB4DA4999EBBF4FF1C200B9149A5E412E7114EB30AB459B50

Function 00428B70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 00428C06

Strings

{y, xrefs: 00428B82
w, xrefs: 00428B92

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: w${y
API String ID: 237503144-4287220308
Opcode ID: 4c2a1f90097c24bef0d4c1f97d8d8bac896b712e4a17a7f0d88e918e43a00912
Instruction ID: 15914a7c29113598c32f40c9e19fdd9eb769565e280641073aa5d13e0b81bd31
Opcode Fuzzy Hash: 4c2a1f90097c24bef0d4c1f97d8d8bac896b712e4a17a7f0d88e918e43a00912
Instruction Fuzzy Hash: B7416C767497118BD3208F68BC8176FB7D1EBC1310F25453EE899C7280EE79D90A479A

Function 00AF73E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Concurrency::details::_Release_chore.LIBCPMT ref: 00AF7526
___std_exception_copy.LIBVCRUNTIME ref: 00AF7561

Part of subcall function 00AFAF37: CreateThreadpoolWork.KERNEL32(00AFB060,00AF8A2A,00000000), ref: 00AFAF46
Part of subcall function 00AFAF37: Concurrency::details::_Reschedule_chore.LIBCPMT ref: 00AFAF53

Strings

Fail to schedule the chore!, xrefs: 00AF7551, 00AF7560

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: Concurrency::details::_$CreateRelease_choreReschedule_choreThreadpoolWork___std_exception_copy
String ID: Fail to schedule the chore!
API String ID: 3683891980-3313369819
Opcode ID: 849f6bdcf598bef03304bb5e51af8c9a918dab824b1fcf118214d996e86cc107
Instruction ID: 73ff52a3daf08e7b62b5f4a0922dd8c64094a3e29e2be0c086a72bbd444cc7b9
Opcode Fuzzy Hash: 849f6bdcf598bef03304bb5e51af8c9a918dab824b1fcf118214d996e86cc107
Instruction Fuzzy Hash: 96519AB19012189FCB11EF94D844BBEBBB1FF08314F144129F919AB391DB75AA05CF91

Function 00B0B992 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00B0B893,?,?,00000000,00000000,00000000,?), ref: 00B0B9B7

Strings

MOC, xrefs: 00B0B9C9
RCC, xrefs: 00B0B9D1

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 473b27bdf4bc262935e277734c9a50d01b7b42d7e39b27caaedfde73221fb503
Instruction ID: 96cd0183016edc4a0f16059e7cd1a9bc203388d400cbb735f39fd13615491e39
Opcode Fuzzy Hash: 473b27bdf4bc262935e277734c9a50d01b7b42d7e39b27caaedfde73221fb503
Instruction Fuzzy Hash: FF413672A00209AFCF15DF98CC81EAEBFB5FF48300F198199FA14A72A2D7359950DB51

Function 00AF3E90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00AF3EC6
std::_Lockit::~_Lockit.LIBCPMT ref: 00AF4002

Part of subcall function 00AFABC5: _Yarn.LIBCPMT ref: 00AFABE5
Part of subcall function 00AFABC5: _Yarn.LIBCPMT ref: 00AFAC09

Strings

bad locale name, xrefs: 00AF3F46

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: LockitYarnstd::_$Lockit::_Lockit::~_
String ID: bad locale name
API String ID: 2070049627-1405518554
Opcode ID: e600abbcf7bae4abf7241595f5ad371c89afddec193707993087629b3b155ab4
Instruction ID: 9c096a05d6de0f2e5e5c8c19266722ad5fe8dcc05d2c54ab6db24c13c59aa335
Opcode Fuzzy Hash: e600abbcf7bae4abf7241595f5ad371c89afddec193707993087629b3b155ab4
Instruction Fuzzy Hash: A541A2F1A007459BEB10DF69C805B6BBBF8BF04714F044628E5499B781E77AE518CBE1

Function 00B0B1FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00B0B475

Strings

csm, xrefs: 00B0B497
csm, xrefs: 00B0B508

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 507c2daa61c23ab85a8b105b60c1f1788e2668baf0c3ab5cd89bd93aac28a879
Instruction ID: 209e286b9d493a7b91bd6e2996598642437c040d599c87671375462c9581f40d
Opcode Fuzzy Hash: 507c2daa61c23ab85a8b105b60c1f1788e2668baf0c3ab5cd89bd93aac28a879
Instruction Fuzzy Hash: 5631A172410219EFCF269F50CC51CAA7FA6EB18315B1846DAF9544A2A2C332DEA1DB81

Function 00AFB831 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00AFB8B9
RaiseException.KERNEL32(?,?,?,?,?), ref: 00AFB8DE

Part of subcall function 00B0060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,00AFF354,00000000,?,?,?,00AFF354,00AF3D4A,00B2759C,00AF3D4A), ref: 00B0066D

Part of subcall function 00B08353: IsProcessorFeaturePresent.KERNEL32(00000017,00B0378B,?,?,?,?,00000000,?,?,?,00AFB5AC,00AFB4E0,00000000,?,?,00AFB4E0), ref: 00B0836F

Strings

csm, xrefs: 00AFB86D

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
String ID: csm
API String ID: 1924019822-1018135373
Opcode ID: a7298c4cf26430d513022681f5716814f75d65daa9ae89d381900abd81a10446
Instruction ID: 3b8fecba60c3d8539a36efa00792549fa7b9161d9efb8c330ab7d7bde0395762
Opcode Fuzzy Hash: a7298c4cf26430d513022681f5716814f75d65daa9ae89d381900abd81a10446
Instruction Fuzzy Hash: D9214531E2021CEBCF24DFD9D945ABEB7B9AF84750F180419F606AB250CB70AD45CBA1

Function 00423070 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 00423108

Strings

jk&,, xrefs: 00423157
fk&,, xrefs: 00423116

Memory Dump Source

Source File: 00000002.00000002.1737895180.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Script.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: fk&,$jk&,
API String ID: 237503144-1303170083
Opcode ID: 44ff3911efd333fc3ee3f7bfdc9ec8d6fac3558c98616d764f91e1e6d4c19134
Instruction ID: c770f829dce2bd5a4f65e039cff7956c7abee7ac5692e81afd1c73524adf907b
Opcode Fuzzy Hash: 44ff3911efd333fc3ee3f7bfdc9ec8d6fac3558c98616d764f91e1e6d4c19134
Instruction Fuzzy Hash: B121C13524C3509BE314CF25D881B5F7BA1EBC1714F24CA2CE4D59B6C1DBB9890ACB96

Function 00AFB46C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00AF2673

Strings

bad array new length, xrefs: 00AF2626
ios_base::badbit set, xrefs: 00AF2650

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: ___std_exception_copy
String ID: bad array new length$ios_base::badbit set
API String ID: 2659868963-1158432155
Opcode ID: 8c784e51d394c0edbc5dac11fa9e840a05084b7274ab05c276cdfa2915c8b1b0
Instruction ID: 6889cb0736b0b1b90b39c7ef4eb324d1486b110c8dda68201d5ce3dd9e19ad44
Opcode Fuzzy Hash: 8c784e51d394c0edbc5dac11fa9e840a05084b7274ab05c276cdfa2915c8b1b0
Instruction Fuzzy Hash: 9701BCF2614304ABDB04AF28D856B6ABBE4EF08318F4189ACF45DCB341D775E848CB81

Function 00AF2610 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B0060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,00AFF354,00000000,?,?,?,00AFF354,00AF3D4A,00B2759C,00AF3D4A), ref: 00B0066D

___std_exception_copy.LIBVCRUNTIME ref: 00AF2673

Strings

bad array new length, xrefs: 00AF2626
ios_base::badbit set, xrefs: 00AF2650

Memory Dump Source

Source File: 00000002.00000002.1737952646.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AF0000, based on PE: true

Associated: 00000002.00000002.1737940036.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737973499.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737987766.0000000000B2A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1737999730.0000000000B2F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738011418.0000000000B32000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1738038023.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_af0000_Script.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: bad array new length$ios_base::badbit set
API String ID: 3109751735-1158432155
Opcode ID: d1464c8679519f1ff76141e63537c9345d26f63cba690b9ba3b6dc76a54ba965
Instruction ID: 9b44283b77d0c54e4365400f313406439f681624fd5b71afc6af70cc038d04f9
Opcode Fuzzy Hash: d1464c8679519f1ff76141e63537c9345d26f63cba690b9ba3b6dc76a54ba965
Instruction Fuzzy Hash: C1F0F8F2614310ABD700AF18D84A747BBE4EB59718F418C9CF5989B350D7B5D448CB92

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Script.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
Script.exe

Function 00B2A19E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Function 00AF1FB0 Relevance: 9.2, APIs: 6, Instructions: 200
fileCOMMON

Function 00AF24B0 Relevance: 10.6, APIs: 7, Instructions: 83
threadCOMMON

Function 00B0CF0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 00AF1750 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 390
COMMON

Function 00B05349 Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Function 00B054EE Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Function 00B0565F Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Function 00B13BF4 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Function 00B143CD Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Function 00AF90F0 Relevance: 3.1, APIs: 2, Instructions: 73
COMMON

Function 00B0DA52 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 00AF1EF0 Relevance: 3.1, APIs: 2, Instructions: 60
memoryCOMMON