Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1583460
MD5:	0a42cbe3d32c42cfccf044a27e02b7ff
SHA1:	b1414b892bfd63920dee379642c872a445cd1470
SHA256:	cf33803ead9f221274a5ef6bfd8121dce055921bbf7b8053624f22277fb00f90
Tags:	exeLummaStealeruser-jstrosch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 3364 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 0A42CBE3D32C42CFCCF044A27E02B7FF)

WerFault.exe (PID: 1756 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 1656 MD5: F5210A4A7E411A1BAD3844586A74B574)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["screwamusresz.buzz", "inherineau.buzz", "scentniej.buzz", "prisonyfork.buzz", "hummskitnj.buzz", "rebuildeso.buzz", "cashfuzysao.buzz", "appliacnesot.buzz"], "Build id": "4h5VfH--"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000003.1592451613.00000000024D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.1672490969.0000000000AFA000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1018:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.file.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.3.file.exe.24d0000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.3.file.exe.24d0000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.2.file.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:10:53.090605+0100	2028371	3	Unknown Traffic	192.168.2.3	49711	104.102.49.254	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appliacnesot .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:10:52.392618+0100	2058572	1	Domain Observed Used for C2 Detected	192.168.2.3	63669	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cashfuzysao .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:10:52.260109+0100	2058576	1	Domain Observed Used for C2 Detected	192.168.2.3	60692	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hummskitnj .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:10:52.406215+0100	2058578	1	Domain Observed Used for C2 Detected	192.168.2.3	63648	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (inherineau .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:10:52.366932+0100	2058580	1	Domain Observed Used for C2 Detected	192.168.2.3	63998	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (prisonyfork .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:10:52.295836+0100	2058584	1	Domain Observed Used for C2 Detected	192.168.2.3	56865	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebuildeso .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:10:52.331734+0100	2058586	1	Domain Observed Used for C2 Detected	192.168.2.3	54263	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scentniej .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:10:52.352822+0100	2058588	1	Domain Observed Used for C2 Detected	192.168.2.3	53131	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (screwamusresz .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:10:52.382088+0100	2058590	1	Domain Observed Used for C2 Detected	192.168.2.3	51095	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:10:53.607567+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.3	49711	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.3.file.exe.24d0000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["screwamusresz.buzz", "inherineau.buzz", "scentniej.buzz", "prisonyfork.buzz", "hummskitnj.buzz", "rebuildeso.buzz", "cashfuzysao.buzz", "appliacnesot.buzz"], "Build id": "4h5VfH--"}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 76%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.3% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: hummskitnj.buzz
Source: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: cashfuzysao.buzz
Source: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: appliacnesot.buzz
Source: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: screwamusresz.buzz
Source: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: inherineau.buzz
Source: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: scentniej.buzz
Source: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: rebuildeso.buzz
Source: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: prisonyfork.buzz
Source: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: cashfuzysao.buzz
Source: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4h5VfH--

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.400000.0.unpack

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.3:49711 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], E88DDEA1h	0_2_0043CD60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp al, 2Eh	0_2_00426054
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00426054
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	0_2_0043B05D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	0_2_0043B05D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	0_2_0043B068
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	0_2_0043B068
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+ecx-3F9DFECCh]	0_2_0040E83B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	0_2_0043B05B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	0_2_0043B05B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	0_2_0040A940
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, ecx	0_2_0040A940
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+38h]	0_2_0040C917
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_0043C1F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 67F3D776h	0_2_00425990
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, di	0_2_00425990
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	0_2_0043B195
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movsx eax, byte ptr [esi]	0_2_0043B9A1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], A269EEEFh	0_2_004369A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edx]	0_2_0041E9B0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_004299B0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea eax, dword ptr [esp+18h]	0_2_0042526A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, edi	0_2_0041D270
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov esi, eax	0_2_00423A34
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ecx+edi*8], 2298EE00h	0_2_0043D2F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, word ptr [eax]	0_2_0043D2F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_0043C280
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edi+eax]	0_2_00415298
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00415298
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	0_2_0043AAB2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [ebp+00h], 0000h	0_2_004252BA
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], B430E561h	0_2_004252BA
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, ebx	0_2_0041CB05
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CAA82E26h	0_2_0043CB20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, eax	0_2_00427326
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	0_2_004143C2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, dword ptr [esp+34h]	0_2_004143C2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_0042A3D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	0_2_0042C45C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, dword ptr [eax]	0_2_00436C00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000000B8h]	0_2_0042B4FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	0_2_0042B4FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esi+64h]	0_2_00418578
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, eax	0_2_0042750D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	0_2_00421D10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [edx+ecx]	0_2_0040DD25
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, edx	0_2_0040BDC9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax-000000BFh]	0_2_00417582
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+0233DBB1h]	0_2_00427DA2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebx+ecx], 0000h	0_2_004205B0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0042C64A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	0_2_0042AE48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00426E50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000000B8h]	0_2_0042B4F7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	0_2_0042B4F7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	0_2_0042AE24
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00433630
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0042C6E4
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+20h]	0_2_00425E90
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 88822328h	0_2_0043CE90
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_004166A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0041BEA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	0_2_0042ADF4
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, edx	0_2_0041C6BB
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_0043BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax-000000A8h]	0_2_00415F66
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], A896961Ch	0_2_00419770
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 6E83E51Eh	0_2_00419770
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 6E83E51Eh	0_2_00419770
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 67F3D776h	0_2_00419770
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 67F3D776h	0_2_00419770
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B7C1BB11h	0_2_00419770
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 6E83E51Eh	0_2_00419770
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B430E561h	0_2_00419770
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, dword ptr [ebp-10h]	0_2_0043A777
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-78E52646h]	0_2_00409700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-46h]	0_2_00409700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+16h]	0_2_00409700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0042C726
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0042C735
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0040CFF3
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, byte ptr [eax+ecx-6A653384h]	0_2_0040CFF3
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ebp+00h], al	0_2_0041DF80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-00000089h]	0_2_0040D7A2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-00000089h]	0_2_0040D7A2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0248D25A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, byte ptr [eax+ecx-6A653384h]	0_2_0248D25A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_024BC268
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	0_2_024BB2CF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	0_2_024BB2CF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	0_2_024BB2C4
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	0_2_024BB2C4
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	0_2_024BB2C2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	0_2_024BB2C2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	0_2_024BB3FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp al, 2Eh	0_2_024A63B6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, edx	0_2_0248C030
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_024A70E4
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 88822328h	0_2_024BD0F7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+20h]	0_2_024A60F7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	0_2_024AB08B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	0_2_024AB0AF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	0_2_024AB05B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ebp+00h], al	0_2_0249E1E7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_024AA637
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	0_2_024AC6C3
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000000B8h]	0_2_024AB763
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	0_2_024AB763
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_024A6739
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esi+64h]	0_2_024987DF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax-000000BFh]	0_2_024977E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_024BC79B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, eax	0_2_024A7797
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea eax, dword ptr [esp+18h]	0_2_024A54D1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, edi	0_2_0249D4D7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edi+eax]	0_2_0249554C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax-000000A8h]	0_2_02496544
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ecx+edi*8], 2298EE00h	0_2_024BD557
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, word ptr [eax]	0_2_024BD557
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0249C528
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], B430E561h	0_2_024A552B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [ebp+00h], 0000h	0_2_024A559D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], B430E561h	0_2_024A55B3
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-00000089h]	0_2_0248DA09
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-00000089h]	0_2_0248DA09
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+ecx-3F9DFECCh]	0_2_0248EAA2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+38h]	0_2_0248CB7E
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 67F3D776h	0_2_024A5BF7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, di	0_2_024A5BF7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	0_2_0248ABA7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, ecx	0_2_0248ABA7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000000B8h]	0_2_024AB75E
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	0_2_024AB75E
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	0_2_02494806
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebx+ecx], 0000h	0_2_024A0817
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_024B3897
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_024AC8B1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_024AC94B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-78E52646h]	0_2_02489967
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-46h]	0_2_02489967
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+16h]	0_2_02489967
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_02496907
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, edx	0_2_0249C921
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+0233DBB1h]	0_2_024A89C0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, dword ptr [ebp-10h]	0_2_024BA9DE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], A896961Ch	0_2_024999D7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 6E83E51Eh	0_2_024999D7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 6E83E51Eh	0_2_024999D7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 67F3D776h	0_2_024999D7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 67F3D776h	0_2_024999D7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B7C1BB11h	0_2_024999D7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 6E83E51Eh	0_2_024999D7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B430E561h	0_2_024999D7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_024AC98D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_024AC99C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, dword ptr [eax]	0_2_024B6E67
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_02495F79
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	0_2_024A1F77
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [ebx], dx	0_2_02498F35
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [ebx], cx	0_2_02498F35
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], E88DDEA1h	0_2_024BCFC7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [edx+ecx]	0_2_0248DF8C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movsx eax, byte ptr [esi]	0_2_024BBC08
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_024A9C17
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edx]	0_2_0249EC17
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], A269EEEFh	0_2_024B6C3B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov esi, eax	0_2_024A3C9B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	0_2_024BAD19
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CAA82E26h	0_2_024BCD87

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058576 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cashfuzysao .buzz) : 192.168.2.3:60692 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058590 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (screwamusresz .buzz) : 192.168.2.3:51095 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058586 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebuildeso .buzz) : 192.168.2.3:54263 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058584 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (prisonyfork .buzz) : 192.168.2.3:56865 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058578 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hummskitnj .buzz) : 192.168.2.3:63648 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058580 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (inherineau .buzz) : 192.168.2.3:63998 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058588 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scentniej .buzz) : 192.168.2.3:53131 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058572 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appliacnesot .buzz) : 192.168.2.3:63669 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.3:49711 -> 104.102.49.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: screwamusresz.buzz
Source: Malware configuration extractor	URLs: inherineau.buzz
Source: Malware configuration extractor	URLs: scentniej.buzz
Source: Malware configuration extractor	URLs: prisonyfork.buzz
Source: Malware configuration extractor	URLs: hummskitnj.buzz
Source: Malware configuration extractor	URLs: rebuildeso.buzz
Source: Malware configuration extractor	URLs: cashfuzysao.buzz
Source: Malware configuration extractor	URLs: appliacnesot.buzz

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.3:49711 -> 104.102.49.254:443

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: file.exe, 00000000.00000002.1672672683.0000000000B91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=bdf42492f31741ce663384eb; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 02 Jan 2025 19:10:53 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: cashfuzysao.buzz
Source: global traffic	DNS traffic detected: DNS query: prisonyfork.buzz
Source: global traffic	DNS traffic detected: DNS query: rebuildeso.buzz
Source: global traffic	DNS traffic detected: DNS query: scentniej.buzz
Source: global traffic	DNS traffic detected: DNS query: inherineau.buzz
Source: global traffic	DNS traffic detected: DNS query: screwamusresz.buzz
Source: global traffic	DNS traffic detected: DNS query: appliacnesot.buzz
Source: global traffic	DNS traffic detected: DNS query: hummskitnj.buzz
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1672517278.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1672517278.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1672517278.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1672517278.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1672517278.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1672517278.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1672517278.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1672517278.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1672517278.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1672617795.0000000000B63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610904239.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610682267.0000000000B60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1672517278.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000002.1672559717.0000000000B48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/pTJC
Source: file.exe, 00000000.00000002.1672559717.0000000000B48000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610904239.0000000000B72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.1610682267.0000000000B91000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1672672683.0000000000B91000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1672517278.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610682267.0000000000B42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.3:49711 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004310D0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_004310D0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004310D0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_004310D0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00431839 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

0_2_00431839

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1672490969.0000000000AFA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040B44C	0_2_0040B44C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408790	0_2_00408790
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00426054	0_2_00426054
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043B068	0_2_0043B068
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00414070	0_2_00414070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043C020	0_2_0043C020
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00439830	0_2_00439830
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043D830	0_2_0043D830
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041B0E1	0_2_0041B0E1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041F0E0	0_2_0041F0E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004210E0	0_2_004210E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00435890	0_2_00435890
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00434098	0_2_00434098
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043D0A0	0_2_0043D0A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004180A9	0_2_004180A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040A940	0_2_0040A940
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041714B	0_2_0041714B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040C917	0_2_0040C917
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042B12C	0_2_0042B12C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042F130	0_2_0042F130
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042B1C0	0_2_0042B1C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041D9E0	0_2_0041D9E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004361E0	0_2_004361E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004111E5	0_2_004111E5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004059F0	0_2_004059F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004239F2	0_2_004239F2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043C1F0	0_2_0043C1F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040F9FD	0_2_0040F9FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00425990	0_2_00425990
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043B9A1	0_2_0043B9A1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406250	0_2_00406250
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041D270	0_2_0041D270
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00424A74	0_2_00424A74
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409230	0_2_00409230
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00423A34	0_2_00423A34
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004192DA	0_2_004192DA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043D2F0	0_2_0043D2F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043C280	0_2_0043C280
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00415298	0_2_00415298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004082AE	0_2_004082AE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004252BA	0_2_004252BA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041CB05	0_2_0041CB05
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00428BC0	0_2_00428BC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004143C2	0_2_004143C2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00402BD0	0_2_00402BD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00428BE9	0_2_00428BE9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00437399	0_2_00437399
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004393A0	0_2_004393A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00416BA5	0_2_00416BA5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004293AA	0_2_004293AA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004223B8	0_2_004223B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00436C00	0_2_00436C00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00423410	0_2_00423410
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042B4FC	0_2_0042B4FC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404CB0	0_2_00404CB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004074B0	0_2_004074B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041DD50	0_2_0041DD50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00418578	0_2_00418578
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042D57E	0_2_0042D57E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00424502	0_2_00424502
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00421D10	0_2_00421D10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040DD25	0_2_0040DD25
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041D5E0	0_2_0041D5E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00417582	0_2_00417582
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043D580	0_2_0043D580
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00427DA2	0_2_00427DA2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004205B0	0_2_004205B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042C64A	0_2_0042C64A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00426E50	0_2_00426E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042B4F7	0_2_0042B4F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043462A	0_2_0043462A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00435630	0_2_00435630
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004066E0	0_2_004066E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042C6E4	0_2_0042C6E4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00430EF0	0_2_00430EF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004256F9	0_2_004256F9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00422E93	0_2_00422E93
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00425E90	0_2_00425E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004156A0	0_2_004156A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041BEA0	0_2_0041BEA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00438EA0	0_2_00438EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00435EA0	0_2_00435EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00405EB0	0_2_00405EB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041C6BB	0_2_0041C6BB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00415F66	0_2_00415F66
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00419770	0_2_00419770
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409700	0_2_00409700
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042C726	0_2_0042C726
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042C735	0_2_0042C735
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041DF80	0_2_0041DF80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00402FA0	0_2_00402FA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02483207	0_2_02483207
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024BB2CF	0_2_024BB2CF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024B42FF	0_2_024B42FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0249B348	0_2_0249B348
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0249734A	0_2_0249734A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024A1347	0_2_024A1347
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0249F347	0_2_0249F347
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024BD307	0_2_024BD307
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024883C7	0_2_024883C7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024AB393	0_2_024AB393
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024AF397	0_2_024AF397
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024973B2	0_2_024973B2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024A8009	0_2_024A8009
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0248C0E8	0_2_0248C0E8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024B1157	0_2_024B1157
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024A8108	0_2_024A8108
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024B9107	0_2_024B9107
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024B6107	0_2_024B6107
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02486117	0_2_02486117
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0249E1E7	0_2_0249E1E7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0249C1AC	0_2_0249C1AC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024B9607	0_2_024B9607
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024A9611	0_2_024A9611
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024AB763	0_2_024AB763
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02487717	0_2_02487717
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024987DF	0_2_024987DF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024BD7E7	0_2_024BD7E7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024AD7E5	0_2_024AD7E5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0249144C	0_2_0249144C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024B6447	0_2_024B6447
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024AB427	0_2_024AB427
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0249D4D7	0_2_0249D4D7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02489497	0_2_02489497
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024864B7	0_2_024864B7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02499541	0_2_02499541
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024BD557	0_2_024BD557
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0249C528	0_2_0249C528
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024845D7	0_2_024845D7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024B5AF7	0_2_024B5AF7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024B9A97	0_2_024B9A97
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024BDA97	0_2_024BDA97
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0248CB7E	0_2_0248CB7E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024A5BF7	0_2_024A5BF7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02497BA7	0_2_02497BA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0248ABA7	0_2_0248ABA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0249D847	0_2_0249D847
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024AB75E	0_2_024AB75E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024A0817	0_2_024A0817
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024B4891	0_2_024B4891
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024B5897	0_2_024B5897
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024AC8B1	0_2_024AC8B1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024AC94B	0_2_024AC94B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02486947	0_2_02486947
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02489967	0_2_02489967
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0249C921	0_2_0249C921
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024999D7	0_2_024999D7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024889F7	0_2_024889F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024AC98D	0_2_024AC98D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024AC99C	0_2_024AC99C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024B6E67	0_2_024B6E67
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02482E37	0_2_02482E37
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024A1F77	0_2_024A1F77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02484F17	0_2_02484F17
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02498F35	0_2_02498F35
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0248DF8C	0_2_0248DF8C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0249DFB7	0_2_0249DFB7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0249DC47	0_2_0249DC47
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02485C57	0_2_02485C57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0248FC64	0_2_0248FC64
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024BBC08	0_2_024BBC08
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02483C27	0_2_02483C27
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024A4CF4	0_2_024A4CF4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024A3C9B	0_2_024A3C9B

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 024881D7 appears 78 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00414060 appears 74 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00407F70 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 024942C7 appears 74 times

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 1656

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1672490969.0000000000AFA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/5@9/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AFB046 CreateToolhelp32Snapshot,Module32First,

0_2_00AFB046

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004361E0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,

0_2_004361E0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3364

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\1360f3fe-973e-4874-af63-11a3a4bd6656

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 1656

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.CRT:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.400000.0.unpack

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043F83E push es; retf	0_2_0043F83F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041ACF6 push esp; iretd	0_2_0041ACFF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00444520 push ebp; ret	0_2_00444522
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043BF00 push eax; mov dword ptr [esp], 49484716h	0_2_0043BF01
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AFDA95 pushad ; ret	0_2_00AFDA9A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AFDD1B push ebp; ret	0_2_00AFDD20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024BC167 push eax; mov dword ptr [esp], 49484716h	0_2_024BC168
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024BF6A5 push es; retf	0_2_024BF6A6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0249AF5D push esp; iretd	0_2_0249AF66

Source: file.exe

Static PE information: section name: .text entropy: 7.375217208642533

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 4144

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: file.exe, 00000000.00000002.1672617795.0000000000B83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610904239.0000000000B83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1672517278.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 9c 31 6b 7d 78 89-be 90 b3 22 a5 ab 1b 52
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0043A9B0 LdrInitializeThunk,

0_2_0043A9B0

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AFA923 push dword ptr fs:[00000030h]	0_2_00AFA923
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0248092B mov eax, dword ptr fs:[00000030h]	0_2_0248092B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02480D90 mov eax, dword ptr fs:[00000030h]	0_2_02480D90

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: hummskitnj.buzz
Source: file.exe	String found in binary or memory: cashfuzysao.buzz
Source: file.exe	String found in binary or memory: appliacnesot.buzz
Source: file.exe	String found in binary or memory: screwamusresz.buzz
Source: file.exe	String found in binary or memory: inherineau.buzz
Source: file.exe	String found in binary or memory: scentniej.buzz
Source: file.exe	String found in binary or memory: rebuildeso.buzz
Source: file.exe	String found in binary or memory: prisonyfork.buzz

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.24d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.24d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1592451613.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.24d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.24d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1592451613.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	2 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	22 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	76%	ReversingLabs	Win32.Trojan.Phasyrr
file.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	high
cashfuzysao.buzz	unknown	unknown	false	high
scentniej.buzz	unknown	unknown	false	high
inherineau.buzz	unknown	unknown	false	high
prisonyfork.buzz	unknown	unknown	false	high
rebuildeso.buzz	unknown	unknown	false	high
appliacnesot.buzz	unknown	unknown	false	high
hummskitnj.buzz	unknown	unknown	false	high
screwamusresz.buzz	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
scentniej.buzz	false	high
hummskitnj.buzz	false	high
https://steamcommunity.com/profiles/76561199724331900	false	high
rebuildeso.buzz	false	high
appliacnesot.buzz	false	high
screwamusresz.buzz	false	high
cashfuzysao.buzz	false	high
inherineau.buzz	false	high
prisonyfork.buzz	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://steamcommunity.com/my/wishlist/	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://player.vimeo.com	file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/?subsection=broadcasts	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://help.steampowered.com/en/	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/market/	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/news/	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/subscriber_agreement/	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.gstatic.cn/recaptcha/	file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/subscriber_agreement/	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1672517278.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1672517278.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	high
https://recaptcha.net/recaptcha/;	file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.valvesoftware.com/legal.htm	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/discussions/	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.youtube.com	file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com	file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/stats/	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/pTJC	file.exe, 00000000.00000002.1672559717.0000000000B48000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://medal.tv	file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://broadcast.st.dl.eccdnx.com	file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/steam_refunds/	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610682267.0000000000B42000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1672517278.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1672517278.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://s.ytimg.com;	file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1672517278.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/workshop/	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://login.steampowered.com/	file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb	file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1672517278.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/legal/	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1672517278.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/	file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steam.tv/	file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/privacy_agreement/	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1672517278.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/points/shop/	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://recaptcha.net	file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
http://upx.sf.net	Amcache.hve.4.dr	false	high
https://store.steampowered.com/	file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1672517278.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	high
https://sketchfab.com	file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://lv.queniujq.cn	file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.youtube.com/	file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
http://127.0.0.1:27060	file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/privacy_agreement/	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com/recaptcha/	file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://checkout.steampowered.com/	file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://help.steampowered.com/	file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.steampowered.com/	file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/points/shop	file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/account/cookiepreferences/	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1672517278.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/mobile	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/	file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1672617795.0000000000B63000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610904239.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610682267.0000000000B60000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1672517278.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/;	file.exe, 00000000.00000003.1610682267.0000000000B91000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1672672683.0000000000B91000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/about/	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l	file.exe, 00000000.00000003.1610640049.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1610640049.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583460
Start date and time:	2025-01-02 20:09:26 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/5@9/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 14 Number of non-executed functions: 236
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21, 40.126.32.134, 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): www.bing.com, watson.events.data.microsoft.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollectorcommon.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
14:10:50	API Interceptor	3x Sleep call for process: file.exe modified
14:10:58	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	/ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	176.113.115.170.ps1	Get hash	malicious	LummaC	Browse	104.102.49.254
	KRNL.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Gz1bBIg2Tw.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	OXoeX1Ii3x.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	OXoeX1Ii3x.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	Exlan_setup_v3.1.2.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Bootstrapper.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	GPU-Z.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer	Browse	104.102.49.254
	gdi32.dll	Get hash	malicious	LummaC	Browse	23.55.153.106
	Loader.exe	Get hash	malicious	LummaC	Browse	23.55.153.106

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	https://ntta.org-pay-u5ch.sbs/us/	Get hash	malicious	Unknown	Browse	23.32.185.35
	DEMONS.x86.elf	Get hash	malicious	Unknown	Browse	96.25.164.130
	DEMONS.spc.elf	Get hash	malicious	Unknown	Browse	104.115.175.219
	ab_j	Get hash	malicious	Rust Stealer	Browse	23.67.65.229
	176.113.115.170.ps1	Get hash	malicious	LummaC	Browse	104.102.49.254
	armv6l.elf	Get hash	malicious	Unknown	Browse	104.72.144.32
	https://bitl.to/3Y0B	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.102.43.106
	KRNL.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	96.17.237.158
	Gz1bBIg2Tw.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.102.49.254
	MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip	Get hash	malicious	Unknown	Browse	104.102.49.254
	MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip	Get hash	malicious	Unknown	Browse	104.102.49.254
	MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip	Get hash	malicious	Unknown	Browse	104.102.49.254
	Setup.exe.7z	Get hash	malicious	Unknown	Browse	104.102.49.254
	176.113.115.170.ps1	Get hash	malicious	LummaC	Browse	104.102.49.254
	ETVk1yP43q.exe	Get hash	malicious	AZORult	Browse	104.102.49.254
	UhsjR3ZFTD.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	KRNL.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_b4631a8323cfff3c86fa2bf9728a9dd766a124_fc62de6f_a206c1fc-a90c-448e-8e0d-db88e2735579\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9469612238732065
Encrypted:	false
SSDEEP:	192:7Eq/rjxviPRwZg0PtksPI3ju3RSuiFTH4IO8TFB:ge1iePWs4jgSuiFTH4IO8X
MD5:	DDD2F5AB01470A0798F8C0DC315301A1
SHA1:	FA8D9E5DBB108BEF5D35AB66EDA7D03C90DD6264
SHA-256:	7FF0C594F05D981A7ABBFABE46C9CBDCEBA4DDF934608917740877717C5AE779
SHA-512:	92901BFB27FC313266F88591C2412CF6BEF7BAFC488727A8D8AB0B7116674E8F2B58AE6A3755987D868288FD01E2CA82616A6D682A68015E678D4DCBCAD7225F
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.3.1.8.6.5.2.7.9.1.9.3.1.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.3.1.8.6.5.3.6.5.1.3.0.8.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.2.0.6.c.1.f.c.-.a.9.0.c.-.4.4.8.e.-.8.e.0.d.-.d.b.8.8.e.2.7.3.5.5.7.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.3.0.2.7.e.d.0.-.e.f.5.7.-.4.9.8.7.-.9.b.c.d.-.3.2.7.4.6.7.8.2.9.c.d.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.2.4.-.0.0.0.1.-.0.0.1.5.-.d.7.4.f.-.4.e.0.8.4.a.5.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.b.1.4.1.4.b.8.9.2.b.f.d.6.3.9.2.0.d.e.e.3.7.9.6.4.2.c.8.7.2.a.4.4.5.c.d.1.4.7.0.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3324.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jan 2 19:10:52 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	45418
Entropy (8bit):	2.547382473048248
Encrypted:	false
SSDEEP:	192:E7hXrkMctOx1BRDoGXoZexgpsp1Poz+5jc7FDT08Ego1QBE0w+YD6r:oeM7TBSGXoZeqpsp13jcNAoKQZw96r
MD5:	DFD097AC40299717FDFA1DA34B3DD33C
SHA1:	D56BDB11FF0EC551103C749A5C5E5CBD43078850
SHA-256:	7945F2976A464DFB2CBFB6857B77BAA45B6576CA5AE175836D87F6FC5F06D8E1
SHA-512:	3DE8415580F05742DEBB3966555D3731CFA3444B549CA2D66843EDB5AE4D7A7D29619718D0086F2BF1D4316D84D618A97A60686E823CED1BD3C7B723C7A6A37D
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........vg............4...............H.......l...<.......t...x,..........`.......8...........T........... @..Jq......................................................................................................eJ......, ......GenuineIntel............T.......$.....vg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER34CB.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8272
Entropy (8bit):	3.693042806373853
Encrypted:	false
SSDEEP:	192:R6l79RJ2CV6K6Yw1SU9MZcgmfB/+7oZulpDM89bLsqsf0E5m:R6lXJn6K6YCSU9IcgmfXcJLsJfa
MD5:	3C7653910B52AEEC6E2D301945E5E6EB
SHA1:	F2ADFD6FF3B4B7133C3F4DCA0CF73C9044382781
SHA-256:	A66C90E7CB9E9C69EA279964113DFDD8140BCC9C56A7D85B7A3822C552DBF49D
SHA-512:	767870E422E4AC875BB4D1BABABC128D02E2A9C12930819190DFFA23DA2475737B79E7DBF4A1CF923F92DE73E6565239F33554D37CBBF22B29849907D940ACB0
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...3.4.4.8...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.3.4.4.8.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.3.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER35E5.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4540
Entropy (8bit):	4.433432167225202
Encrypted:	false
SSDEEP:	48:cvIwr7SGl8zs5JgkZ7aI96dWpW8VYvYm8M4Jv98paFB+q8iICuHqnvRztXd:uIafLh70s7VvJJSqn5ztXd
MD5:	3BB981E5F496341A50E60EF82B593D6A
SHA1:	BBF3367CA782B3FFD065027CF3797BE8FC2DEC5D
SHA-256:	0DFDE1C2928827457F47A3B096B8F1F51A9C8DD33A297737CFD8B2AA2DE55AF7
SHA-512:	14FD4EDDF199F3359C0398F1C711C8B523FA24D9676755797E998FFCF2AC2FDF4499293B1802004BAC890500D5C9553E3113D853325DC31873B29C5051339F1C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="3448" />.. <arg nm="verqfe" val="3448" />.. <arg nm="csdbld" val="3448" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="223002483" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.327025601528755
Encrypted:	false
SSDEEP:	6144:nRJufhX4RxLT+yjH4A0WBIIQfTa765q/E5ySvL+ML61mecRo5d5OWiBev:RJD3BIdBvL+SqcIdYF2
MD5:	02F2F5B4EF15BA1531718E64D0FE1518
SHA1:	16118A3516FBD6DC87D8F101A5E020CE326A9E22
SHA-256:	E17E4B2E6D243DEB56A8EA0043BBD7150717769F653CD32F703E5356A79873BF
SHA-512:	F3EC293DC30E6E816AD2EBA9D677AB87F94380F4C85D6E9859D0C35032D486064F4BD3C01B3A37A09F7BE8F9FE0FA29889AA9008D61CB9EBA7EE5FA824BE5725
Malicious:	false
Reputation:	low
Preview:	regfO...O....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmnx..J]................................................................................................................................................................................................................................................................................................................................................>........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.4201168321911455
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	375'296 bytes
MD5:	0a42cbe3d32c42cfccf044a27e02b7ff
SHA1:	b1414b892bfd63920dee379642c872a445cd1470
SHA256:	cf33803ead9f221274a5ef6bfd8121dce055921bbf7b8053624f22277fb00f90
SHA512:	1201a82fc26ac577db5a2c2280dc0dce0f7ba35bc75723165476bb3d9757dedce0b15f094cb2b19afd3e50a1d69a905ab7771f4a20644289685f06d5e022ec89
SSDEEP:	6144:/vUtDoXMshft/ho6pOqk0pW3xKPFQ6vcmG3/8yJ7QAu7:/st8X7hoUVkaxPFQ6nKU277u7
TLSH:	BE84CF2839F19226FFF7573026309AA15A7BBCA36A70918F21A0375F5D332D19E61713
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......).`.mq..mq..mq...>..oq..s#..sq..s#..yq..s#...q..J.u.jq..mq...q..s#..lq..s#..lq..s#..lq..Richmq..................PE..L...<).d...

File Icon


Icon Hash:	8f97312535251b1a

Static PE Info

General

Entrypoint:	0x401453
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x64F6293C [Mon Sep 4 19:00:12 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	3978bc23ce46139d07304b225b33a7c7

Entrypoint Preview

Instruction
call 00007F928C92A049h
jmp 00007F928C92792Dh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0044B398h], eax
mov dword ptr [0044B394h], ecx
mov dword ptr [0044B390h], edx
mov dword ptr [0044B38Ch], ebx
mov dword ptr [0044B388h], esi
mov dword ptr [0044B384h], edi
mov word ptr [0044B3B0h], ss
mov word ptr [0044B3A4h], cs
mov word ptr [0044B380h], ds
mov word ptr [0044B37Ch], es
mov word ptr [0044B378h], fs
mov word ptr [0044B374h], gs
pushfd
pop dword ptr [0044B3A8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0044B39Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0044B3A0h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0044B3ACh], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0044B2E8h], 00010001h
mov eax, dword ptr [0044B3A0h]
mov dword ptr [0044B29Ch], eax
mov dword ptr [0044B290h], C0000409h
mov dword ptr [0044B294h], 00000001h
mov eax, dword ptr [00444004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [00444008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000B8h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4284c	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x423000	0xe788	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x41000	0x19c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3f35c	0x3f400	18ef132275cecf5a9ce258aa06e13147	False	0.8043671257411067	data	7.375217208642533	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x41000	0x2194	0x2200	faaf1284c50183c70663ce297e2851e5	False	0.3625919117647059	data	5.552390755586888	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x44000	0x3decd8	0xb800	1f636a761babf0a541553059f102fa7c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x423000	0xe788	0xe800	cb1a8865c1315023a0c1549c0c33aa48	False	0.40476831896551724	data	4.51666408838503	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_CURSOR	0x429e88	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0	0.4276315789473684
RT_CURSOR	0x429fd0	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0	0.7368421052631579
RT_CURSOR	0x42a100	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.06130705394190871
RT_ICON	0x423630	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	0.5575692963752665
RT_ICON	0x4244d8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	0.6159747292418772
RT_ICON	0x424d80	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	0.6474654377880185
RT_ICON	0x425448	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	0.6705202312138728
RT_ICON	0x4259b0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	0.43858921161825726
RT_ICON	0x427f58	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.5152439024390244
RT_ICON	0x429000	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	0.5172131147540984
RT_ICON	0x429988	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	0.6108156028368794
RT_STRING	0x42c888	0x454	data	0.45126353790613716
RT_STRING	0x42cce0	0x126	data	0.5238095238095238
RT_STRING	0x42ce08	0x652	data	0.43757725587144625
RT_STRING	0x42d460	0x750	data	0.4305555555555556
RT_STRING	0x42dbb0	0x6a4	data	0.4376470588235294
RT_STRING	0x42e258	0x74c	data	0.4229122055674518
RT_STRING	0x42e9a8	0x70e	data	0.4330011074197121
RT_STRING	0x42f0b8	0x84e	data	0.4195672624647225
RT_STRING	0x42f908	0x662	data	0.43512851897184823
RT_STRING	0x42ff70	0x964	data	0.4068219633943428
RT_STRING	0x4308d8	0x66e	data	0.4356014580801944
RT_STRING	0x430f48	0x60a	data	0.444372574385511
RT_STRING	0x431558	0x22a	data	0.47653429602888087
RT_ACCELERATOR	0x429e68	0x20	data	1.15625
RT_GROUP_CURSOR	0x429fb8	0x14	data	1.15
RT_GROUP_CURSOR	0x42c6a8	0x22	data	1.088235294117647
RT_GROUP_ICON	0x429df0	0x76	data	0.6610169491525424
RT_VERSION	0x42c6d0	0x1b4	data	0.5756880733944955

Imports

DLL	Import
KERNEL32.dll	SetLocaleInfoA, DeleteVolumeMountPointA, InterlockedIncrement, GetConsoleAliasA, SetDefaultCommConfigW, GetComputerNameW, GetProcessPriorityBoost, GetModuleHandleW, GetDateFormatA, GetEnvironmentStrings, LoadLibraryW, ReadProcessMemory, GetTimeFormatW, CreateProcessA, GetAtomNameW, GetStartupInfoW, GetShortPathNameA, SetLastError, PulseEvent, SearchPathA, SetFileAttributesA, BuildCommDCBW, GetNumaHighestNodeNumber, LoadLibraryA, UnhandledExceptionFilter, InterlockedExchangeAdd, LocalAlloc, AddAtomA, FoldStringW, OpenFileMappingW, WriteConsoleOutputAttribute, FindFirstVolumeA, FindAtomW, UnregisterWaitEx, CreateFileA, WriteConsoleW, GetProcAddress, GetCommandLineW, MultiByteToWideChar, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, GetLastError, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, DeleteCriticalSection, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, LeaveCriticalSection, EnterCriticalSection, GetLocaleInfoA, InitializeCriticalSectionAndSpinCount, HeapAlloc, VirtualAlloc, HeapReAlloc, RtlUnwind, HeapSize, ReadFile, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, SetStdHandle, CloseHandle, WriteConsoleA, GetConsoleOutputCP, GetModuleHandleA
USER32.dll	GetClassLongW
GDI32.dll	GetBitmapBits

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-02T20:10:52.260109+0100	2058576	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cashfuzysao .buzz)	1	192.168.2.3	60692	1.1.1.1	53	UDP
2025-01-02T20:10:52.295836+0100	2058584	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (prisonyfork .buzz)	1	192.168.2.3	56865	1.1.1.1	53	UDP
2025-01-02T20:10:52.331734+0100	2058586	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebuildeso .buzz)	1	192.168.2.3	54263	1.1.1.1	53	UDP
2025-01-02T20:10:52.352822+0100	2058588	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scentniej .buzz)	1	192.168.2.3	53131	1.1.1.1	53	UDP
2025-01-02T20:10:52.366932+0100	2058580	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (inherineau .buzz)	1	192.168.2.3	63998	1.1.1.1	53	UDP
2025-01-02T20:10:52.382088+0100	2058590	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (screwamusresz .buzz)	1	192.168.2.3	51095	1.1.1.1	53	UDP
2025-01-02T20:10:52.392618+0100	2058572	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appliacnesot .buzz)	1	192.168.2.3	63669	1.1.1.1	53	UDP
2025-01-02T20:10:52.406215+0100	2058578	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hummskitnj .buzz)	1	192.168.2.3	63648	1.1.1.1	53	UDP
2025-01-02T20:10:53.090605+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.3	49711	104.102.49.254	443	TCP
2025-01-02T20:10:53.607567+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.3	49711	104.102.49.254	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 20:10:52.429958105 CET	49711	443	192.168.2.3	104.102.49.254
Jan 2, 2025 20:10:52.430006027 CET	443	49711	104.102.49.254	192.168.2.3
Jan 2, 2025 20:10:52.430089951 CET	49711	443	192.168.2.3	104.102.49.254
Jan 2, 2025 20:10:52.435945988 CET	49711	443	192.168.2.3	104.102.49.254
Jan 2, 2025 20:10:52.435966015 CET	443	49711	104.102.49.254	192.168.2.3
Jan 2, 2025 20:10:53.090492964 CET	443	49711	104.102.49.254	192.168.2.3
Jan 2, 2025 20:10:53.090605021 CET	49711	443	192.168.2.3	104.102.49.254
Jan 2, 2025 20:10:53.095261097 CET	49711	443	192.168.2.3	104.102.49.254
Jan 2, 2025 20:10:53.095268011 CET	443	49711	104.102.49.254	192.168.2.3
Jan 2, 2025 20:10:53.095599890 CET	443	49711	104.102.49.254	192.168.2.3
Jan 2, 2025 20:10:53.136970997 CET	49711	443	192.168.2.3	104.102.49.254
Jan 2, 2025 20:10:53.168862104 CET	49711	443	192.168.2.3	104.102.49.254
Jan 2, 2025 20:10:53.215338945 CET	443	49711	104.102.49.254	192.168.2.3
Jan 2, 2025 20:10:53.607609987 CET	443	49711	104.102.49.254	192.168.2.3
Jan 2, 2025 20:10:53.607639074 CET	443	49711	104.102.49.254	192.168.2.3
Jan 2, 2025 20:10:53.607686996 CET	443	49711	104.102.49.254	192.168.2.3
Jan 2, 2025 20:10:53.607702971 CET	443	49711	104.102.49.254	192.168.2.3
Jan 2, 2025 20:10:53.607737064 CET	49711	443	192.168.2.3	104.102.49.254
Jan 2, 2025 20:10:53.607742071 CET	443	49711	104.102.49.254	192.168.2.3
Jan 2, 2025 20:10:53.607759953 CET	443	49711	104.102.49.254	192.168.2.3
Jan 2, 2025 20:10:53.607837915 CET	49711	443	192.168.2.3	104.102.49.254
Jan 2, 2025 20:10:53.607837915 CET	49711	443	192.168.2.3	104.102.49.254
Jan 2, 2025 20:10:53.692512989 CET	443	49711	104.102.49.254	192.168.2.3
Jan 2, 2025 20:10:53.692598104 CET	443	49711	104.102.49.254	192.168.2.3
Jan 2, 2025 20:10:53.692619085 CET	443	49711	104.102.49.254	192.168.2.3
Jan 2, 2025 20:10:53.692681074 CET	49711	443	192.168.2.3	104.102.49.254
Jan 2, 2025 20:10:53.692749023 CET	49711	443	192.168.2.3	104.102.49.254
Jan 2, 2025 20:10:53.694195032 CET	49711	443	192.168.2.3	104.102.49.254
Jan 2, 2025 20:10:53.694225073 CET	443	49711	104.102.49.254	192.168.2.3
Jan 2, 2025 20:10:53.694236994 CET	49711	443	192.168.2.3	104.102.49.254
Jan 2, 2025 20:10:53.694245100 CET	443	49711	104.102.49.254	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 20:10:52.260108948 CET	60692	53	192.168.2.3	1.1.1.1
Jan 2, 2025 20:10:52.269711971 CET	53	60692	1.1.1.1	192.168.2.3
Jan 2, 2025 20:10:52.295835972 CET	56865	53	192.168.2.3	1.1.1.1
Jan 2, 2025 20:10:52.304584026 CET	53	56865	1.1.1.1	192.168.2.3
Jan 2, 2025 20:10:52.331733942 CET	54263	53	192.168.2.3	1.1.1.1
Jan 2, 2025 20:10:52.341123104 CET	53	54263	1.1.1.1	192.168.2.3
Jan 2, 2025 20:10:52.352822065 CET	53131	53	192.168.2.3	1.1.1.1
Jan 2, 2025 20:10:52.362318993 CET	53	53131	1.1.1.1	192.168.2.3
Jan 2, 2025 20:10:52.366931915 CET	63998	53	192.168.2.3	1.1.1.1
Jan 2, 2025 20:10:52.377593994 CET	53	63998	1.1.1.1	192.168.2.3
Jan 2, 2025 20:10:52.382087946 CET	51095	53	192.168.2.3	1.1.1.1
Jan 2, 2025 20:10:52.390656948 CET	53	51095	1.1.1.1	192.168.2.3
Jan 2, 2025 20:10:52.392617941 CET	63669	53	192.168.2.3	1.1.1.1
Jan 2, 2025 20:10:52.401478052 CET	53	63669	1.1.1.1	192.168.2.3
Jan 2, 2025 20:10:52.406214952 CET	63648	53	192.168.2.3	1.1.1.1
Jan 2, 2025 20:10:52.415154934 CET	53	63648	1.1.1.1	192.168.2.3
Jan 2, 2025 20:10:52.416650057 CET	53974	53	192.168.2.3	1.1.1.1
Jan 2, 2025 20:10:52.423533916 CET	53	53974	1.1.1.1	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 2, 2025 20:10:52.260108948 CET	192.168.2.3	1.1.1.1	0x5323	Standard query (0)	cashfuzysao.buzz	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:10:52.295835972 CET	192.168.2.3	1.1.1.1	0xc611	Standard query (0)	prisonyfork.buzz	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:10:52.331733942 CET	192.168.2.3	1.1.1.1	0x62e8	Standard query (0)	rebuildeso.buzz	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:10:52.352822065 CET	192.168.2.3	1.1.1.1	0xaf6	Standard query (0)	scentniej.buzz	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:10:52.366931915 CET	192.168.2.3	1.1.1.1	0xd34e	Standard query (0)	inherineau.buzz	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:10:52.382087946 CET	192.168.2.3	1.1.1.1	0x356b	Standard query (0)	screwamusresz.buzz	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:10:52.392617941 CET	192.168.2.3	1.1.1.1	0x275	Standard query (0)	appliacnesot.buzz	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:10:52.406214952 CET	192.168.2.3	1.1.1.1	0x77ae	Standard query (0)	hummskitnj.buzz	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:10:52.416650057 CET	192.168.2.3	1.1.1.1	0xc70c	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 2, 2025 20:10:52.269711971 CET	1.1.1.1	192.168.2.3	0x5323	Name error (3)	cashfuzysao.buzz	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:10:52.304584026 CET	1.1.1.1	192.168.2.3	0xc611	Name error (3)	prisonyfork.buzz	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:10:52.341123104 CET	1.1.1.1	192.168.2.3	0x62e8	Name error (3)	rebuildeso.buzz	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:10:52.362318993 CET	1.1.1.1	192.168.2.3	0xaf6	Name error (3)	scentniej.buzz	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:10:52.377593994 CET	1.1.1.1	192.168.2.3	0xd34e	Name error (3)	inherineau.buzz	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:10:52.390656948 CET	1.1.1.1	192.168.2.3	0x356b	Name error (3)	screwamusresz.buzz	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:10:52.401478052 CET	1.1.1.1	192.168.2.3	0x275	Name error (3)	appliacnesot.buzz	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:10:52.415154934 CET	1.1.1.1	192.168.2.3	0x77ae	Name error (3)	hummskitnj.buzz	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:10:52.423533916 CET	1.1.1.1	192.168.2.3	0xc70c	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.3	49711	104.102.49.254	443	3364	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:10:53 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2025-01-02 19:10:53 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 02 Jan 2025 19:10:53 GMT Content-Length: 25665 Connection: close Set-Cookie: sessionid=bdf42492f31741ce663384eb; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2025-01-02 19:10:53 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2025-01-02 19:10:53 UTC	11186	IN	Data Raw: 3f 6c 3d 6b 6f 72 65 61 6e 61 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6b 6f 72 65 61 6e 61 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e ed 95 9c ea b5 ad ec 96 b4 20 28 4b 6f 72 65 61 6e 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ?l=koreana" onclick="ChangeLanguage( 'koreana' ); return false;"> (Korean)</a><a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a>

Target ID:	0
Start time:	14:10:48
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	375'296 bytes
MD5 hash:	0A42CBE3D32C42CFCCF044A27E02B7FF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000003.1592451613.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1672490969.0000000000AFA000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:10:52
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 1656
Imagebase:	0xd80000
File size:	489'328 bytes
MD5 hash:	F5210A4A7E411A1BAD3844586A74B574
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	45.9%
Signature Coverage:	45.9%
Total number of Nodes:	61
Total number of Limit Nodes:	3

Executed Functions

Function 00408790 Relevance: 7.6, APIs: 5, Instructions: 146
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004087B4
GetCurrentThreadId.KERNEL32 ref: 004087BE
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 0040885B
GetForegroundWindow.USER32 ref: 00408870
ExitProcess.KERNEL32 ref: 00408972

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 7b623bcc5e135466e494fc7f4101763bd35fdd0b5e674fc8217798d0a0a97a45
Instruction ID: a67ee57a83d6170df5f07577f929ddf8a699819013d33d30bc43b1fbcecb0360
Opcode Fuzzy Hash: 7b623bcc5e135466e494fc7f4101763bd35fdd0b5e674fc8217798d0a0a97a45
Instruction Fuzzy Hash: 95417E77F443180BD31CBEB59C9A36AB2969BC4314F0A903F6985AB3D1DD7C5C0552C5

Function 00AFB046 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00AFB06E
Module32First.KERNEL32(00000000,00000224), ref: 00AFB08E

Memory Dump Source

Source File: 00000000.00000002.1672490969.0000000000AFA000.00000040.00000020.00020000.00000000.sdmp, Offset: 00AFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_afa000_file.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: b28d4c94793c552606f2d7171f51289e43029193259f925e0818e6263a11c7ca
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 95F04932610718AFD7203BF9E88DABB76F8AF49725F100528F75691480DB70E9458A61

Function 0040B44C Relevance: 1.6, Strings: 1, Instructions: 345
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

h d", xrefs: 0040B73E

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: h d"
API String ID: 0-862628183
Opcode ID: 907832ec394077f3cb61ce921fa134c81a3c0afbaec0ddbe82e25e94bded95fe
Instruction ID: e7b26040d347b48bd15f509a2e92d141a5522c4f34e33ed28b849909e17f734e
Opcode Fuzzy Hash: 907832ec394077f3cb61ce921fa134c81a3c0afbaec0ddbe82e25e94bded95fe
Instruction Fuzzy Hash: 81B1CF79204700CFD3248F74EC91B67B7F6FB4A301F058A7DE99682AA0D774A859CB18

Function 0043A9B0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0043C978,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043A9DE

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0043CD60 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

ihgf, xrefs: 0043CD85

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ihgf
API String ID: 2994545307-2948842496
Opcode ID: dc78d9af145ba0afec033d80e05627e4c530122498a0d20b58ff3d4b62c44d01
Instruction ID: fada9a9e4b2345b6e6448840249a942183f34978708c931c01a97142677ee2ca
Opcode Fuzzy Hash: dc78d9af145ba0afec033d80e05627e4c530122498a0d20b58ff3d4b62c44d01
Instruction Fuzzy Hash: 4C31F434304300AFE7109B249CC2B7BBBA5EB8EB14F24653DF584A3391D265EC60874A

Function 0043B05B Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b87544a561184a7d4b1543d2ac67acc99fdb29ef1ee15d58e3a116105f186d8
Instruction ID: 59f44d745d542156a41113c6a864a29fdb0868418a705d17f35015423a5ff240
Opcode Fuzzy Hash: 4b87544a561184a7d4b1543d2ac67acc99fdb29ef1ee15d58e3a116105f186d8
Instruction Fuzzy Hash: 3F418C76A587588FC724AF54ACC477BB3A1EB8A320F2E552DDAE517351E7648C0083CD

Function 0248003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0248024D

Strings

cess, xrefs: 0248018D
kernel32.dll, xrefs: 0248008F, 02480095

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 7b1ad8852e436fc1817e3e2aa783fdc326378ef2b8c29df7ba1e42edb9faaceb
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 9B527A74A11229DFDB64CF58C984BADBBB1BF09304F1480DAE50DAB351DB30AA89CF14

Function 0043AB0B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043AB9F

Strings

ilmn, xrefs: 0043AB7D

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ForegroundWindow
String ID: ilmn
API String ID: 2020703349-1560153188
Opcode ID: 8bf5be419e97d4aeba59362ee4405b63177e9ea72d340c76fc1dbd34a7535713
Instruction ID: 381210f78ea322f673374cf03a2ab6eba84d6d5afac1efb59df7821204f613f6
Opcode Fuzzy Hash: 8bf5be419e97d4aeba59362ee4405b63177e9ea72d340c76fc1dbd34a7535713
Instruction Fuzzy Hash: A0115C3BE5A65087D304DB65D806156B293EAC5214F0DD53DC986D770AEF3DDC028286

Function 02480E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02480223,?,?), ref: 02480E19
SetErrorMode.KERNELBASE(00000000,?,?,02480223,?,?), ref: 02480E1E

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 625e0f7f1e1b302f448508261efaf1e752b234688f5247d6a6466c6c1b929a9e
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 85D0123215512877D7003A94DC09BDE7B1CDF05B66F008011FB0DD9180C770954046E5

Function 0043AB91 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043AB9F

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: a0dc0220c6c2ddb49d889c1027b5b2c34b58d9f1c75a0e80b2e5e3c572fe071b
Instruction ID: 60e8b0f46bfb036eff5fe615915129b1fb2bd173e47bf556a6606a5c449cc706
Opcode Fuzzy Hash: a0dc0220c6c2ddb49d889c1027b5b2c34b58d9f1c75a0e80b2e5e3c572fe071b
Instruction Fuzzy Hash: 34E08C7EA406008BDB04DF20EC4A5517766B79A305B084039D903C37A6DB3DD816CA49

Function 00438E70 Relevance: 1.5, APIs: 1, Instructions: 13
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?,004127C7), ref: 00438E8E

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 768fcb1c02373f70ae0863a28d25f36a016012181a68bd02bcb189957d430873
Instruction ID: 85901e1c641484a1e9593b863e702362ecf9fc70d5eef9c3d2e46bbe4163b786
Opcode Fuzzy Hash: 768fcb1c02373f70ae0863a28d25f36a016012181a68bd02bcb189957d430873
Instruction Fuzzy Hash: 63D01235405526EBC6101F24FC06B863A54EF49321F030461B540AF076C734DC908AD8

Function 00438E47 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00438E55

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bde11014aa9fadb2486ac873e4c51e0b14130d9e3c259129d8d0e778167120a1
Instruction ID: 4c59684187f8c9fc8ebab3782fe1e1f4842940d007367fb0e8ab7bd4dbd8a192
Opcode Fuzzy Hash: bde11014aa9fadb2486ac873e4c51e0b14130d9e3c259129d8d0e778167120a1
Instruction Fuzzy Hash: A0C0927C142211FBD2211B21AC5EF6B3E38FB83B63F104124F209580B287649011DA6E

Function 00438E51 Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00438E55

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1129b59f0d67bf13eed9448a42768f07b4682826011a39e0f4462efca5d079f4
Instruction ID: 3dd49d49275fbb255d04589a33f94784ad2ffd24471d3276aa8c957077778349
Opcode Fuzzy Hash: 1129b59f0d67bf13eed9448a42768f07b4682826011a39e0f4462efca5d079f4
Instruction Fuzzy Hash: 8AA0223C002200EBC2200B20AC0EF2B3E38FB83B23F000030F00C080B283308000CA2E

Function 00AFAD05 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00AFAD56

Memory Dump Source

Source File: 00000000.00000002.1672490969.0000000000AFA000.00000040.00000020.00020000.00000000.sdmp, Offset: 00AFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_afa000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: aa03b256527a2f358dbcaa9ab07a27cdb12eb3b0b1b8c1171d85d2cbd6bc622d
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 0C113C79A40208EFDB01DF98CA85E99BBF5AF08351F058094FA489B362D771EA50DF90

Non-executed Functions

Function 024B4891 Relevance: 127.9, Strings: 102, Instructions: 417COMMON

Download Yara Rule

Strings

T, xrefs: 024B4B1A
n, xrefs: 024B4B60
0, xrefs: 024B4AB1
~, xrefs: 024B48D5
!, xrefs: 024B4AA3
a, xrefs: 024B4A95
Z, xrefs: 024B49FB
d, xrefs: 024B4B8A
e, xrefs: 024B4945
J, xrefs: 024B4A64
X, xrefs: 024B4AC6
4, xrefs: 024B4E5C
1, xrefs: 024B4B21
~, xrefs: 024B4A25
}, xrefs: 024B4AE9
H, xrefs: 024B4A56
%, xrefs: 024B4ACD
M, xrefs: 024B489D
%, xrefs: 024B48F1
j, xrefs: 024B4B44
f, xrefs: 024B4B98
*, xrefs: 024B4984
v, xrefs: 024B4C08
D, xrefs: 024B49D1
t, xrefs: 024B4BFA
r, xrefs: 024B4BEC
U, xrefs: 024B498B
6, xrefs: 024B4A48
\, xrefs: 024B497D
Z, xrefs: 024B4A17
B, xrefs: 024B4A9C
., xrefs: 024B4B05
:, xrefs: 024B49F4
N, xrefs: 024B49ED
2, xrefs: 024B4A2C
e, xrefs: 024B496F
m, xrefs: 024B4D75
>, xrefs: 024B4ABF
@, xrefs: 024B4A8E
>, xrefs: 024B4A10
], xrefs: 024B4BC9
x, xrefs: 024B4BA6
o, xrefs: 024B4D7D
i, xrefs: 024B4929
,, xrefs: 024B4992
, xrefs: 024B49AE
~, xrefs: 024B4BD0
L, xrefs: 024B4A72
N, xrefs: 024B49A7
g, xrefs: 024B4D5D
-, xrefs: 024B48B9
;, xrefs: 024B4A87
p, xrefs: 024B48FF
x, xrefs: 024B490D
Z, xrefs: 024B4AD4
., xrefs: 024B49A0
k, xrefs: 024B4D6D
b, xrefs: 024B4B7C
?, xrefs: 024B4937
4, xrefs: 024B4E3A
p, xrefs: 024B4BDE
e, xrefs: 024B491B
|, xrefs: 024B4BC2
(, xrefs: 024B4976
<, xrefs: 024B4A02
F, xrefs: 024B4AB8
P, xrefs: 024B4AFE
=, xrefs: 024B4A79
v, xrefs: 024B48E3
C, xrefs: 024B4B83
l, xrefs: 024B4B52
c, xrefs: 024B4D4D
h, xrefs: 024B4B36
^, xrefs: 024B4AF0
t, xrefs: 024B48AB
t, xrefs: 024B4A4F
5, xrefs: 024B4961
O, xrefs: 024B4A09
), xrefs: 024B4A33
l, xrefs: 024B4953
V, xrefs: 024B4B28
;, xrefs: 024B4A5D
?, xrefs: 024B4ADB
`, xrefs: 024B4B6E
&, xrefs: 024B49D8
s, xrefs: 024B4B13
., xrefs: 024B4B2F
\, xrefs: 024B4AE2
R, xrefs: 024B4B0C
e, xrefs: 024B4D55
z, xrefs: 024B4BB4
D, xrefs: 024B4AAA
^, xrefs: 024B49C3
i, xrefs: 024B4D65
4, xrefs: 024B4A3A
0, xrefs: 024B4A1E
+, xrefs: 024B4AF7
", xrefs: 024B49BC
N, xrefs: 024B4A80
$, xrefs: 024B49CA
8, xrefs: 024B49E6
[, xrefs: 024B49DF

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: $!$"$$$%$%$&$($)$*$+$,$-$.$.$.$0$0$1$2$4$4$4$5$6$8$:$;$;$<$=$>$>$?$?$@$B$C$D$D$F$H$J$L$M$N$N$N$O$P$R$T$U$V$X$Z$Z$Z$[$\$\$]$^$^$`$a$b$c$d$e$e$e$e$f$g$h$i$i$j$k$l$l$m$n$o$p$p$r$s$t$t$t$v$v$x$x$z$|$}$~$~$~
API String ID: 0-1394229784
Opcode ID: 0ad0ccab371ecf03d36c413c93bc7494f07a7df5888065dda6a46f4b89f4694b
Instruction ID: baf5855529d5c49cf6cfb0e88b2a8186660a83bc73687cd3c779ef1732dd6a1a
Opcode Fuzzy Hash: 0ad0ccab371ecf03d36c413c93bc7494f07a7df5888065dda6a46f4b89f4694b
Instruction Fuzzy Hash: 5622462190C7E9CDEB26C638CC587DDBEA15F56314F0841D9C1996B3C2C7BA0B89CB26

Function 0043462A Relevance: 127.9, Strings: 102, Instructions: 417COMMON

Download Yara Rule

Strings

x, xrefs: 004346A6
x, xrefs: 0043493F
4, xrefs: 00434BD3
!, xrefs: 0043483C
t, xrefs: 00434993
z, xrefs: 0043494D
}, xrefs: 00434882
1, xrefs: 004348BA
&, xrefs: 00434771
p, xrefs: 00434977
-, xrefs: 00434652
?, xrefs: 00434874
j, xrefs: 004348DD
`, xrefs: 00434907
R, xrefs: 004348A5
t, xrefs: 004347E8
a, xrefs: 0043482E
o, xrefs: 00434B16
^, xrefs: 00434889
h, xrefs: 004348CF
[, xrefs: 00434778
O, xrefs: 004347A2
0, xrefs: 0043484A
D, xrefs: 0043476A
@, xrefs: 00434827
e, xrefs: 004346DE
c, xrefs: 00434AE6
*, xrefs: 0043471D
g, xrefs: 00434AF6
F, xrefs: 00434851
e, xrefs: 00434AEE
t, xrefs: 00434644
], xrefs: 00434962
>, xrefs: 004347A9
", xrefs: 00434755
%, xrefs: 00434866
M, xrefs: 00434636
4, xrefs: 00434BF5
v, xrefs: 0043467C
N, xrefs: 00434740
~, xrefs: 00434969
5, xrefs: 004346FA
,, xrefs: 0043472B
^, xrefs: 0043475C
<, xrefs: 0043479B
:, xrefs: 0043478D
d, xrefs: 00434923
r, xrefs: 00434985
6, xrefs: 004347E1
m, xrefs: 00434B0E
\, xrefs: 0043487B
T, xrefs: 004348B3
4, xrefs: 004347D3
l, xrefs: 004348EB
n, xrefs: 004348F9
f, xrefs: 00434931
., xrefs: 00434739
D, xrefs: 00434843
=, xrefs: 00434812
., xrefs: 0043489E
L, xrefs: 0043480B
(, xrefs: 0043470F
k, xrefs: 00434B06
B, xrefs: 00434835
U, xrefs: 00434724
p, xrefs: 00434698
C, xrefs: 0043491C
b, xrefs: 00434915
l, xrefs: 004346EC
;, xrefs: 004347F6
X, xrefs: 0043485F
N, xrefs: 00434786
\, xrefs: 00434716
, xrefs: 00434747
0, xrefs: 004347B7
8, xrefs: 0043477F
J, xrefs: 004347FD
e, xrefs: 004346B4
i, xrefs: 00434AFE
2, xrefs: 004347C5
i, xrefs: 004346C2
?, xrefs: 004346D0
V, xrefs: 004348C1
v, xrefs: 004349A1
;, xrefs: 00434820
P, xrefs: 00434897
N, xrefs: 00434819
$, xrefs: 00434763
|, xrefs: 0043495B
s, xrefs: 004348AC
~, xrefs: 0043466E
~, xrefs: 004347BE
Z, xrefs: 00434794
e, xrefs: 00434708
Z, xrefs: 004347B0
), xrefs: 004347CC
+, xrefs: 00434890
H, xrefs: 004347EF
., xrefs: 004348C8
>, xrefs: 00434858
%, xrefs: 0043468A
Z, xrefs: 0043486D

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: $!$"$$$%$%$&$($)$*$+$,$-$.$.$.$0$0$1$2$4$4$4$5$6$8$:$;$;$<$=$>$>$?$?$@$B$C$D$D$F$H$J$L$M$N$N$N$O$P$R$T$U$V$X$Z$Z$Z$[$\$\$]$^$^$`$a$b$c$d$e$e$e$e$f$g$h$i$i$j$k$l$l$m$n$o$p$p$r$s$t$t$t$v$v$x$x$z$|$}$~$~$~
API String ID: 0-1394229784
Opcode ID: 056a6b09ac1f0b8069d8e0856d928db892cc49fb58976f7f6017e888c085083b
Instruction ID: 78fde7a8102a4a25e3d516c1edb5f9b2f063fdb03dbd0bbcca9d4d838a68c62c
Opcode Fuzzy Hash: 056a6b09ac1f0b8069d8e0856d928db892cc49fb58976f7f6017e888c085083b
Instruction Fuzzy Hash: 3F22472190D7E9CDEB26C638CC587DDBEA15B56314F0841D9C19D6B3C2C7BA0B89CB26

Function 024B42FF Relevance: 36.6, Strings: 29, Instructions: 348COMMON

Download Yara Rule

Strings

}, xrefs: 024B43F9
x, xrefs: 024B458C
|, xrefs: 024B459C
s, xrefs: 024B4409
`, xrefs: 024B456C
<, xrefs: 024B4536
n, xrefs: 024B43C9
+, xrefs: 024B430B
{, xrefs: 024B43F1
a, xrefs: 024B43C1
|, xrefs: 024B43E9
z, xrefs: 024B4594
p, xrefs: 024B4401
@, xrefs: 024B4419
h, xrefs: 024B43B1
n, xrefs: 024B4564
{, xrefs: 024B4598
`, xrefs: 024B43A9
0, xrefs: 024B468E
g, xrefs: 024B43D1
w, xrefs: 024B4411
d, xrefs: 024B43E1
*, xrefs: 024B4351
:, xrefs: 024B4560
C, xrefs: 024B4421
b, xrefs: 024B4574
f, xrefs: 024B4584
>, xrefs: 024B453F
d, xrefs: 024B457C

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: *$+$0$:$<$>$@$C$`$`$a$b$d$d$f$g$h$n$n$p$s$w$x$z${${$|$|$}
API String ID: 0-334816167
Opcode ID: 63cdccc75301cd355fa4edc8c506f7aea9a9e61635fb673e26f729942e3a0ac3
Instruction ID: 25ecd6609553f32baca7714e8aeceeec93040c6e209c9c053f4265ccc1d4356a
Opcode Fuzzy Hash: 63cdccc75301cd355fa4edc8c506f7aea9a9e61635fb673e26f729942e3a0ac3
Instruction Fuzzy Hash: AFF1E421D087E98ADB32C67C8C543CDBFA15B53324F1943D9D4E9AB3D2C6790A46CB62

Function 00434098 Relevance: 36.6, Strings: 29, Instructions: 348COMMON

Download Yara Rule

Strings

*, xrefs: 004340EA
a, xrefs: 0043415A
<, xrefs: 004342CF
`, xrefs: 00434305
{, xrefs: 0043418A
d, xrefs: 00434315
|, xrefs: 00434182
>, xrefs: 004342D8
|, xrefs: 00434335
z, xrefs: 0043432D
p, xrefs: 0043419A
+, xrefs: 004340A4
x, xrefs: 00434325
b, xrefs: 0043430D
:, xrefs: 004342F9
{, xrefs: 00434331
n, xrefs: 004342FD
g, xrefs: 0043416A
f, xrefs: 0043431D
w, xrefs: 004341AA
0, xrefs: 00434427
d, xrefs: 0043417A
s, xrefs: 004341A2
C, xrefs: 004341BA
}, xrefs: 00434192
h, xrefs: 0043414A
@, xrefs: 004341B2
`, xrefs: 00434142
n, xrefs: 00434162

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: *$+$0$:$<$>$@$C$`$`$a$b$d$d$f$g$h$n$n$p$s$w$x$z${${$|$|$}
API String ID: 0-334816167
Opcode ID: 4d803b101157e4a712cc0ef110f4861eff536f857bbb1a7cf2d313a64b91ceb8
Instruction ID: 4ba09c738a8091425718d315f50eff196f5ba60e1b3feeb24fdbf3622366560b
Opcode Fuzzy Hash: 4d803b101157e4a712cc0ef110f4861eff536f857bbb1a7cf2d313a64b91ceb8
Instruction Fuzzy Hash: 0BF1E521D087E98ADB32C67C8C443CDBFA15B97324F1943D9D4E9AB3D2C6780A46CB56

Function 004361E0 Relevance: 33.9, APIs: 10, Strings: 9, Instructions: 636memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0043F68C,00000000,00000001,0043F67C), ref: 0043640E
SysAllocString.OLEAUT32(FA46F8B5), ref: 0043646A
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 004364A7
SysAllocString.OLEAUT32(w!s#), ref: 004364FB
SysAllocString.OLEAUT32(A3q5), ref: 004365A1
VariantInit.OLEAUT32(?), ref: 00436613
VariantClear.OLEAUT32(?), ref: 00436775
SysFreeString.OLEAUT32(?), ref: 004367A0
SysFreeString.OLEAUT32(?), ref: 004367A6
SysFreeString.OLEAUT32(00000000), ref: 004367B3

Strings

T'g), xrefs: 0043652D
0NuNup=Nu, xrefs: 00436796, 004367B3
A;, xrefs: 0043643C
C, xrefs: 00436369
w!s#, xrefs: 004364F6, 004364FA
X&c8, xrefs: 0043628F
BC, xrefs: 00436565
Y/9Q, xrefs: 0043653D
z7}9A3q5, xrefs: 004365BB

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInitInstanceProxy
String ID: 0NuNup=Nu$A;$BC$C$T'g)$X&c8$Y/9Q$w!s#$z7}9A3q5
API String ID: 2485776651-1817988871
Opcode ID: 1a7a540a913549243f643d940beb1ec8542d667b59db154e60dd983501a017ec
Instruction ID: 522da010f1620deffab12e26d595bfb80e0736a5a48a815d81ab8756012ad252
Opcode Fuzzy Hash: 1a7a540a913549243f643d940beb1ec8542d667b59db154e60dd983501a017ec
Instruction Fuzzy Hash: 7112EC72A083019BD314CF28C881B6BBBE5FFC9304F15992DF595DB290D778D9058B9A

Function 024B6447 Relevance: 30.4, APIs: 8, Strings: 9, Instructions: 636memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(0043F68C,00000000,00000001,0043F67C), ref: 024B6675
SysAllocString.OLEAUT32(FA46F8B5), ref: 024B66D1
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 024B670E
SysAllocString.OLEAUT32(w!s#), ref: 024B6762
SysAllocString.OLEAUT32(A3q5), ref: 024B6808
VariantInit.OLEAUT32(?), ref: 024B687A
VariantClear.OLEAUT32(?), ref: 024B69DC
SysFreeString.OLEAUT32(00000000), ref: 024B6A1A

Strings

C, xrefs: 024B65D0
T'g), xrefs: 024B6794
z7}9A3q5, xrefs: 024B6822
BC, xrefs: 024B67CC
X&c8, xrefs: 024B64F6
A;, xrefs: 024B66A3
Y/9Q, xrefs: 024B67A4
w!s#, xrefs: 024B675D, 024B6761
0NuNup=Nu, xrefs: 024B69FD, 024B6A1A

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID: String$Alloc$Variant$BlanketClearCreateFreeInitInstanceProxy
String ID: 0NuNup=Nu$A;$BC$C$T'g)$X&c8$Y/9Q$w!s#$z7}9A3q5
API String ID: 2775254435-1817988871
Opcode ID: 7f006d42d978ea279f5d884ff5246a5058d7d597c52cd245997dba74b9415a56
Instruction ID: 5b3348aa32d787808aa2bd7c848211984107a7b7c5ca6801c41b61df10d9f28a
Opcode Fuzzy Hash: 7f006d42d978ea279f5d884ff5246a5058d7d597c52cd245997dba74b9415a56
Instruction Fuzzy Hash: 0E12EEB26083409BD714CF29C881BABBBEAFFC9304F15892DE695DB290D774D505CB92

Function 004310D0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 114clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004310E0
GetWindowLongW.USER32 ref: 00431105
GetClipboardData.USER32 ref: 00431115
GlobalLock.KERNEL32 ref: 0043112E
GlobalUnlock.KERNEL32 ref: 00431240
CloseClipboard.USER32 ref: 00431249

Strings

(, xrefs: 004311BE
], xrefs: 00431191
P, xrefs: 0043119B
j, xrefs: 004311AA
x, xrefs: 0043117D
W, xrefs: 004311A5

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: ($P$W$]$j$x
API String ID: 2832541153-1642767450
Opcode ID: 8b1f1a14f2ecd6cbcc61cef173fb78c483c4298edd8ed21dbcc155f4e5603572
Instruction ID: d10a51e23ecba45016217ad21913f42ff9d133ebe453f27826f30668db2baec2
Opcode Fuzzy Hash: 8b1f1a14f2ecd6cbcc61cef173fb78c483c4298edd8ed21dbcc155f4e5603572
Instruction Fuzzy Hash: B941A17050C7818ED301AFB8D88835FBEE0AB8A314F444A7EE4E9963D2D678854DC797

Function 02489497 Relevance: 18.0, Strings: 14, Instructions: 458COMMON

Download Yara Rule

Strings

rz|x, xrefs: 02489935
wkoq, xrefs: 024895EC
LSJm, xrefs: 02489604
p~rs, xrefs: 024895BC
9/,8, xrefs: 024894CF
agsy, xrefs: 024895D4
; >?, xrefs: 024894E7
7]7N, xrefs: 024895F4
`{R2, xrefs: 024895E4
PVNR, xrefs: 024895FC
<'=0, xrefs: 024894D7
~p~9, xrefs: 024895CC
R:e}, xrefs: 024895DC
sD/f, xrefs: 024895C4

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 7]7N$9/,8$; >?$<'=0$LSJm$PVNR$R:e}$`{R2$agsy$p~rs$rz|x$sD/f$wkoq$~p~9
API String ID: 0-2345621967
Opcode ID: a9be2e0f6340cc52a81f7dbe1f742bb92054bc815233c9bebfa9ac53ecd4af8d
Instruction ID: 61a7c25add3c2eb78d575bb410489b68ba99ef0bb1d486e7cf9faf3c19471fbb
Opcode Fuzzy Hash: a9be2e0f6340cc52a81f7dbe1f742bb92054bc815233c9bebfa9ac53ecd4af8d
Instruction Fuzzy Hash: 03C1587160C7C58FD315DF2584A076BBFE1AFD2244F1889ADE4E11B782D739890ACB62

Function 00409230 Relevance: 18.0, Strings: 14, Instructions: 458COMMON

Download Yara Rule

Strings

sD/f, xrefs: 0040935D
`{R2, xrefs: 0040937D
~p~9, xrefs: 00409365
wkoq, xrefs: 00409385
p~rs, xrefs: 00409355
R:e}, xrefs: 00409375
<'=0, xrefs: 00409270
; >?, xrefs: 00409280
7]7N, xrefs: 0040938D
LSJm, xrefs: 0040939D
9/,8, xrefs: 00409268
agsy, xrefs: 0040936D
PVNR, xrefs: 00409395
rz|x, xrefs: 004096CE

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 7]7N$9/,8$; >?$<'=0$LSJm$PVNR$R:e}$`{R2$agsy$p~rs$rz|x$sD/f$wkoq$~p~9
API String ID: 0-2345621967
Opcode ID: a9be2e0f6340cc52a81f7dbe1f742bb92054bc815233c9bebfa9ac53ecd4af8d
Instruction ID: bfc0c3310975af71fded0e8a17bd930ed1ccefcf7fefaebca231936fe6ab8075
Opcode Fuzzy Hash: a9be2e0f6340cc52a81f7dbe1f742bb92054bc815233c9bebfa9ac53ecd4af8d
Instruction Fuzzy Hash: 47C1367150C3958BD315CE2584A036BBFE1AFD6304F1889BDE4E11B386D63D8D0ACBA6

Function 0248FC64 Relevance: 17.1, Strings: 13, Instructions: 892COMMON

Download Yara Rule

Strings

C, xrefs: 0248FE47
O, xrefs: 02490157
4, xrefs: 0248FEA9
\, xrefs: 024904F0
@, xrefs: 02490238
Y, xrefs: 024904F8
&, xrefs: 0248FE42
+, xrefs: 0249065F
t, xrefs: 02490240
T, xrefs: 0248FE99
g, xrefs: 02490051
Z, xrefs: 02490500
q, xrefs: 0248FDDA

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: &$+$4$@$C$O$T$Y$Z$\$g$q$t
API String ID: 0-2174627302
Opcode ID: 2c149d579c2bfbe290bb8fc034ca28ef72b0ce807b879de6ec01245955241a86
Instruction ID: c47d0252fef95e795cc2f919cc7b0789bbb0f975b4fe0699cf3bf39bea5ccefd
Opcode Fuzzy Hash: 2c149d579c2bfbe290bb8fc034ca28ef72b0ce807b879de6ec01245955241a86
Instruction Fuzzy Hash: 3C727D7160C7808FD724AB38C4943AFBFE2ABD6314F19892ED5DA87381D6798446CB13

Function 0040F9FD Relevance: 17.1, Strings: 13, Instructions: 892COMMON

Download Yara Rule

Strings

Y, xrefs: 00410291
+, xrefs: 004103F8
@, xrefs: 0040FFD1
\, xrefs: 00410289
t, xrefs: 0040FFD9
g, xrefs: 0040FDEA
T, xrefs: 0040FC32
C, xrefs: 0040FBE0
4, xrefs: 0040FC42
Z, xrefs: 00410299
&, xrefs: 0040FBDB
O, xrefs: 0040FEF0
q, xrefs: 0040FB73

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: &$+$4$@$C$O$T$Y$Z$\$g$q$t
API String ID: 0-2174627302
Opcode ID: fa95428c970c30a1efb578d72b7ddf9eb6b82f5b934b73145c579ff54d310729
Instruction ID: 9695cd9248a7320cbd761fb78df0a02734abf8995342c504889e395b39462be9
Opcode Fuzzy Hash: fa95428c970c30a1efb578d72b7ddf9eb6b82f5b934b73145c579ff54d310729
Instruction Fuzzy Hash: 7E728E7160C7818BD3249F38C4953AFBBE2ABD5314F194A3EE5D9873D2D67884858B07

Function 024A8108 Relevance: 14.2, Strings: 11, Instructions: 461COMMON

Download Yara Rule

Strings

XY, xrefs: 024A8534
p-B/, xrefs: 024A8442
T!M#, xrefs: 024A842A
Q5Z7, xrefs: 024A8452
U1D3, xrefs: 024A844A
<=, xrefs: 024A8462
V%G', xrefs: 024A8432
\9X;, xrefs: 024A845A
*B), xrefs: 024A8582
O)O+, xrefs: 024A843A
*B), xrefs: 024A82E2

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: *B)$*B)$<=$O)O+$Q5Z7$T!M#$U1D3$V%G'$XY$\9X;$p-B/
API String ID: 0-898000180
Opcode ID: 9fc2874815f84d3ef4346084d008133ae0ec9231113661370af9e7ee02782906
Instruction ID: 7284c0b006921febe605626328ca0107e5e3020dd22266af322895ab5b66acc7
Opcode Fuzzy Hash: 9fc2874815f84d3ef4346084d008133ae0ec9231113661370af9e7ee02782906
Instruction Fuzzy Hash: 7DC10DB12483518BD714CF58C8A176BB7F2EFE6714F08896DE8D68B790E3358901C796

Function 024A3C9B Relevance: 10.4, Strings: 8, Instructions: 446COMMON

Download Yara Rule

Strings

|~, xrefs: 024A4295
IK, xrefs: 024A40EA
>V, xrefs: 024A4417
4%, xrefs: 024A3F3C
<>, xrefs: 024A4317
EG, xrefs: 024A40E3
>V, xrefs: 024A45BD
UW, xrefs: 024A40FF

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 4%$>V$>V$<>$EG$IK$UW$|~
API String ID: 0-2246970021
Opcode ID: cc1dde96a411e1e6fcd6a59f7ef47bdc2781b26c4dfcad69bf9094ee8fc7f5bd
Instruction ID: 0b95a4a5ac87f7a12cdeb98e31fa16e5e6f6b5ad0cc6a7354cbd6f5cd4a09f7c
Opcode Fuzzy Hash: cc1dde96a411e1e6fcd6a59f7ef47bdc2781b26c4dfcad69bf9094ee8fc7f5bd
Instruction Fuzzy Hash: A43242B0601B469FDB48CF2AD580389BBB1FF45300F548698C9695FB4ADB35A892CFC0

Function 00423A34 Relevance: 10.4, Strings: 8, Instructions: 446COMMON

Download Yara Rule

Strings

>V, xrefs: 004241B0
EG, xrefs: 00423E7C
>V, xrefs: 00424356
UW, xrefs: 00423E98
<>, xrefs: 004240B0
IK, xrefs: 00423E83
|~, xrefs: 0042402E
4%, xrefs: 00423CD5

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 4%$>V$>V$<>$EG$IK$UW$|~
API String ID: 0-2246970021
Opcode ID: cc1dde96a411e1e6fcd6a59f7ef47bdc2781b26c4dfcad69bf9094ee8fc7f5bd
Instruction ID: f89536dd89445c36d0748b7bd4a9cf4b738649ea5c65e76590e6169531de8307
Opcode Fuzzy Hash: cc1dde96a411e1e6fcd6a59f7ef47bdc2781b26c4dfcad69bf9094ee8fc7f5bd
Instruction Fuzzy Hash: C43242B0611B569FDB48CF26D580389BBB1FF45300F548698C9695FB4ADB35A8A2CFC0

Function 00425E90 Relevance: 9.4, APIs: 1, Strings: 4, Instructions: 648COMMON

Download Yara Rule

Strings

V3R5, xrefs: 00426774
67, xrefs: 0042677F
@iB, xrefs: 0042693A, 00426DD8, 00426E0E
*mB, xrefs: 00426D24

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: *mB$67$@iB$V3R5
API String ID: 0-119712241
Opcode ID: 2752cfb5aefe83a77e1e275bbb3611267d68b1f03f1cd38cb6bb80b62f128883
Instruction ID: f8f986030c5c516667fa2fb6bcf2798bb7f33b75dff4277953ef0512ab11a316
Opcode Fuzzy Hash: 2752cfb5aefe83a77e1e275bbb3611267d68b1f03f1cd38cb6bb80b62f128883
Instruction Fuzzy Hash: 6A2258716083548BC728DF68E85176FB7E1EFC5304F49893DE9868B392EB349905CB86

Function 024A1347 Relevance: 8.0, Strings: 6, Instructions: 536COMMON

Download Yara Rule

Strings

T, xrefs: 024A1925
h, xrefs: 024A1559
!@, xrefs: 024A137D
V, xrefs: 024A1920
,, xrefs: 024A1885
U, xrefs: 024A192A

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: !@$,$T$U$V$h
API String ID: 0-1072848446
Opcode ID: 8e8ca45835480ccfa162dc2bafbba4cee2664ffe78ab865597f6f2298b61ffbe
Instruction ID: f053d8d88037b6577d0dc540d670b171f3ca9efdd8dffbfa78d95a24bfab15ca
Opcode Fuzzy Hash: 8e8ca45835480ccfa162dc2bafbba4cee2664ffe78ab865597f6f2298b61ffbe
Instruction Fuzzy Hash: 17229D7560C7908FD3209F28C46436FBBE1AB96324F088A2EE5DE873D1D7758885CB52

Function 004210E0 Relevance: 8.0, Strings: 6, Instructions: 536COMMON

Download Yara Rule

Strings

V, xrefs: 004216B9
!@, xrefs: 00421116
T, xrefs: 004216BE
h, xrefs: 004212F2
U, xrefs: 004216C3
,, xrefs: 0042161E

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: !@$,$T$U$V$h
API String ID: 0-1072848446
Opcode ID: b818ee9c67694a0f4bc9b807532e0d54e79f31c8e805177f741268a403b11b31
Instruction ID: 7f4f8c271271a0ee30063bf5d57d9afa0b4a7bb7edff0777766b2e5d54dfe869
Opcode Fuzzy Hash: b818ee9c67694a0f4bc9b807532e0d54e79f31c8e805177f741268a403b11b31
Instruction Fuzzy Hash: CF22E17160C3A08FD320DF28D44436FBBE1ABD6314F598A2EE5D9873A1D77988458B4B

Function 004205B0 Relevance: 8.0, Strings: 6, Instructions: 481COMMON

Download Yara Rule

Strings

<k;m, xrefs: 0042069D
2g1i, xrefs: 00420695
B, xrefs: 00420ADF
wy, xrefs: 00420675
&', xrefs: 00420966
0c=e, xrefs: 0042068D

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: &'$0c=e$2g1i$<k;m$B$wy
API String ID: 0-2430453506
Opcode ID: eb1d602c92fd99bd83cb42d187dbb3c1cba3f1d687f489207edda56632bda968
Instruction ID: efc43d6a55d29c5113b9513135886848320c4b4fba7a0b6b3d57c2edb9ba0087
Opcode Fuzzy Hash: eb1d602c92fd99bd83cb42d187dbb3c1cba3f1d687f489207edda56632bda968
Instruction Fuzzy Hash: 26D127B56083118BD724DF25D85276BB7F2EFE2314F58992CE4828B3A5F7789801CB46

Function 024AC8B1 Relevance: 7.8, Strings: 6, Instructions: 346COMMON

Download Yara Rule

Strings

EF, xrefs: 024ACDD1
zJyL, xrefs: 024ACDB0
D@6T, xrefs: 024ACC69
0, xrefs: 024ACB22
5, xrefs: 024ACB84
&=, xrefs: 024ACC7F

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: &=$0$5$D@6T$EF$zJyL
API String ID: 0-3264166258
Opcode ID: 6f787935f52e1d9f41ee2cdf27def6dc2193743486b37ecbc705986605444a77
Instruction ID: 45400f8afca93c5224be32374253f3e626fe7ba211acc8360950aa97c9417813
Opcode Fuzzy Hash: 6f787935f52e1d9f41ee2cdf27def6dc2193743486b37ecbc705986605444a77
Instruction Fuzzy Hash: 2CB1FA7010D3818AD364CF29C4A07BBFBD2AFE6304F188A5ED4DA8B391DB758549C712

Function 0042C64A Relevance: 7.8, Strings: 6, Instructions: 346COMMON

Download Yara Rule

Strings

D@6T, xrefs: 0042CA02
5, xrefs: 0042C91D
0, xrefs: 0042C8BB
&=, xrefs: 0042CA18
EF, xrefs: 0042CB6A
zJyL, xrefs: 0042CB49

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: &=$0$5$D@6T$EF$zJyL
API String ID: 0-3264166258
Opcode ID: 6f787935f52e1d9f41ee2cdf27def6dc2193743486b37ecbc705986605444a77
Instruction ID: f15181a2a9622c2e50c414abf7a3ac4626398852fa6a8a653e4f6d86baaa0204
Opcode Fuzzy Hash: 6f787935f52e1d9f41ee2cdf27def6dc2193743486b37ecbc705986605444a77
Instruction Fuzzy Hash: 62B1087020C3918AE324CF2994917BFBBD2AFD6304F588A6ED4D987391DB788449C757

Function 024889F7 Relevance: 7.6, APIs: 5, Instructions: 146threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 02488A1B
GetCurrentThreadId.KERNEL32 ref: 02488A25
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 02488AC2
GetForegroundWindow.USER32 ref: 02488AD7
ExitProcess.KERNEL32 ref: 02488BD9

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 7b623bcc5e135466e494fc7f4101763bd35fdd0b5e674fc8217798d0a0a97a45
Instruction ID: 32fc16b6d54a95302a4d4f1d623382d6dc466224f9fb23ff5545f67503981d54
Opcode Fuzzy Hash: 7b623bcc5e135466e494fc7f4101763bd35fdd0b5e674fc8217798d0a0a97a45
Instruction Fuzzy Hash: CA417B77F543180BD71CBEA98C993AEB6979BC4314F0A803F6985AB390DE785C0656D0

Function 00422E93 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 394COMMON

Download Yara Rule

Strings

r1B, xrefs: 00423169
)*, xrefs: 00423216
X9{;, xrefs: 0042330B

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: )*$X9{;$r1B
API String ID: 0-1001561910
Opcode ID: 8dd660af85e9b30ff04e02c10e609101b9a09426abdb28fd85c75e4d1b9bc82c
Instruction ID: a1479a56b64214e2a7fc54a03e2bd96b94a4879ed58cb61811aa9170273c6ab6
Opcode Fuzzy Hash: 8dd660af85e9b30ff04e02c10e609101b9a09426abdb28fd85c75e4d1b9bc82c
Instruction Fuzzy Hash: 94D1BAB06083419FD3009F59E88166BBBE0FF96309F54892DF5818B351E3B8DA09CB5A

Function 0041BEA0 Relevance: 6.9, Strings: 5, Instructions: 684COMMON

Download Yara Rule

Strings

[^, xrefs: 0041C1E8
Iz, xrefs: 0041C15F
-, xrefs: 0041C167
C\, xrefs: 0041C1F0
de, xrefs: 0041C34D

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: -$C\$Iz$[^$de
API String ID: 0-3020956940
Opcode ID: f819af1d85e380cc0a90eb61a19dfdbbe2cdd3936953633e8d3f19afdb44e2e0
Instruction ID: e1ce7c89e45d16bcd91c54bb6943d2a9f79ffbc50f6667256eaf7ee8aaf95e0a
Opcode Fuzzy Hash: f819af1d85e380cc0a90eb61a19dfdbbe2cdd3936953633e8d3f19afdb44e2e0
Instruction Fuzzy Hash: C012237654C3108FC314CFA8C8926ABBBE2EFD5314F18892DE4E58B391E7789505CB86

Function 024A0817 Relevance: 6.7, Strings: 5, Instructions: 481COMMON

Download Yara Rule

Strings

0c=e, xrefs: 024A08F4
&', xrefs: 024A0BCD
2g1i, xrefs: 024A08FC
wy, xrefs: 024A08DC
<k;m, xrefs: 024A0904

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: &'$0c=e$2g1i$<k;m$wy
API String ID: 0-3335612808
Opcode ID: eb1d602c92fd99bd83cb42d187dbb3c1cba3f1d687f489207edda56632bda968
Instruction ID: 4e0eea66cff0f6b9496aca2dce0eb99fe8499485080f3b5597ab95928cc6be57
Opcode Fuzzy Hash: eb1d602c92fd99bd83cb42d187dbb3c1cba3f1d687f489207edda56632bda968
Instruction Fuzzy Hash: 6FD118B56183018BD724DF25C8A176BB7F2EFA2314F18996DD4828F3A4F7799401CB52

Function 024AC94B Relevance: 6.6, Strings: 5, Instructions: 336COMMON

Download Yara Rule

Strings

EF, xrefs: 024ACDD1
zJyL, xrefs: 024ACDB0
D@6T, xrefs: 024ACC69
5, xrefs: 024ACB84
&=, xrefs: 024ACC7F

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: f99561a0788cee97c829df764e2ebd4c7b90c8b56b0bfd503a4f7d65a1aead45
Instruction ID: a0e3043ec67e3de6e7873e2ebe6bec725442fe8fe72bc62a0d17d56f8b2c2404
Opcode Fuzzy Hash: f99561a0788cee97c829df764e2ebd4c7b90c8b56b0bfd503a4f7d65a1aead45
Instruction Fuzzy Hash: A3A1EA7110D3818BE364CF29C4A07BBBBD2AFE2304F18896ED4DA8B391DB758549C756

Function 0042C6E4 Relevance: 6.6, Strings: 5, Instructions: 336COMMON

Download Yara Rule

Strings

D@6T, xrefs: 0042CA02
5, xrefs: 0042C91D
&=, xrefs: 0042CA18
EF, xrefs: 0042CB6A
zJyL, xrefs: 0042CB49

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: f99561a0788cee97c829df764e2ebd4c7b90c8b56b0bfd503a4f7d65a1aead45
Instruction ID: a1ece66a1846d5f05b18afa13e78785737907ef84dba56bd06699bfcf49e878d
Opcode Fuzzy Hash: f99561a0788cee97c829df764e2ebd4c7b90c8b56b0bfd503a4f7d65a1aead45
Instruction Fuzzy Hash: 16A1097120C3918AE364CF2994917AFBBD2AFD2304F588A6ED4C987391DB788449C757

Function 024AC99C Relevance: 6.6, Strings: 5, Instructions: 335COMMON

Download Yara Rule

Strings

EF, xrefs: 024ACDD1
zJyL, xrefs: 024ACDB0
D@6T, xrefs: 024ACC69
5, xrefs: 024ACB84
&=, xrefs: 024ACC7F

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: 5eea70b87afb6f6764b4b0a803c2ee816a1ddf72bf9f3ac6a73094afb86f43b5
Instruction ID: ce5a0078d03f97aafd8e637aee6b92b66fb343947fb904c4b805f963b4cd0d89
Opcode Fuzzy Hash: 5eea70b87afb6f6764b4b0a803c2ee816a1ddf72bf9f3ac6a73094afb86f43b5
Instruction Fuzzy Hash: 53A1FB7010D3818BE364CF29C4A07BBBBD2AFE2304F18896ED4DA8B391DB758549C756

Function 0042C735 Relevance: 6.6, Strings: 5, Instructions: 335COMMON

Download Yara Rule

Strings

D@6T, xrefs: 0042CA02
5, xrefs: 0042C91D
&=, xrefs: 0042CA18
EF, xrefs: 0042CB6A
zJyL, xrefs: 0042CB49

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: 5eea70b87afb6f6764b4b0a803c2ee816a1ddf72bf9f3ac6a73094afb86f43b5
Instruction ID: a1affb31d16800ef8c6cc435bb9674081fedb8b39f933f67ef20babcac88fb25
Opcode Fuzzy Hash: 5eea70b87afb6f6764b4b0a803c2ee816a1ddf72bf9f3ac6a73094afb86f43b5
Instruction Fuzzy Hash: 6BA1097020C3918AE324CF2994D17AFBBD2AFD2304F688A6ED4D987391DB788449C757

Function 024AC98D Relevance: 6.6, Strings: 5, Instructions: 312COMMON

Download Yara Rule

Strings

EF, xrefs: 024ACDD1
zJyL, xrefs: 024ACDB0
D@6T, xrefs: 024ACC69
5, xrefs: 024ACB84
&=, xrefs: 024ACC7F

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: 964c76fda7f37207e59e987132c18f71186e6d03fd2999a299809d292455ad42
Instruction ID: b6c84b30acdec967f227c94cb53ac2f55d8d26962341561a6ea0e9572039e90d
Opcode Fuzzy Hash: 964c76fda7f37207e59e987132c18f71186e6d03fd2999a299809d292455ad42
Instruction Fuzzy Hash: DFA1D57110D3818AE364CF29C4A07ABBBD2AFE2304F188A6ED4D98B391DB758549C756

Function 0042C726 Relevance: 6.6, Strings: 5, Instructions: 312COMMON

Download Yara Rule

Strings

D@6T, xrefs: 0042CA02
5, xrefs: 0042C91D
&=, xrefs: 0042CA18
EF, xrefs: 0042CB6A
zJyL, xrefs: 0042CB49

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: 964c76fda7f37207e59e987132c18f71186e6d03fd2999a299809d292455ad42
Instruction ID: 9bb2126ccc093d793a191dd69b681400b401b97b3b24328c9194ba10bd873eb8
Opcode Fuzzy Hash: 964c76fda7f37207e59e987132c18f71186e6d03fd2999a299809d292455ad42
Instruction Fuzzy Hash: 16A1077120C3918AD324CF2994917BBBBD2AFD2304F688A5ED4C98B391DB788449C757

Function 00415298 Relevance: 6.1, Strings: 4, Instructions: 1123COMMON

Download Yara Rule

Strings

Z\, xrefs: 00415344
in~x, xrefs: 00415AFB
kmbj, xrefs: 00415B8C
ydij, xrefs: 00415B93

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: in~x$kmbj$ydij$Z\
API String ID: 0-979945983
Opcode ID: 005fc1fa79f283313d18ab5bef71a17aafbda1228e7aae7fdcae809975c54514
Instruction ID: a7131c4719c006be066284edc26e6de5161f51a5f0bff666fc31d9b99828dd7c
Opcode Fuzzy Hash: 005fc1fa79f283313d18ab5bef71a17aafbda1228e7aae7fdcae809975c54514
Instruction Fuzzy Hash: 107249B5600701CFD7248F28D8817A7B7B2FF96314F18856EE4968B392E739E842CB55

Function 0249E1E7 Relevance: 5.9, Strings: 4, Instructions: 864COMMON

Download Yara Rule

Strings

zusR, xrefs: 0249E3B5
&-, xrefs: 0249E601
)R_X, xrefs: 0249E3D7
[O_[, xrefs: 0249E50F

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: &-$)R_X$[O_[$zusR
API String ID: 0-3432275560
Opcode ID: c72d066a0ba9d98f0ff19214e9d8c23779a55738a99cb06a59f657220fc0cf28
Instruction ID: 43ffbaf601dac67dac3f7de494ab11fd7e8a36768a23bc975a14dbd97ed775c7
Opcode Fuzzy Hash: c72d066a0ba9d98f0ff19214e9d8c23779a55738a99cb06a59f657220fc0cf28
Instruction Fuzzy Hash: B64207706083908FCB25DF68C85076FBFE1AF96214F484A6EE8E55B392D7368506CB52

Function 0041DF80 Relevance: 5.9, Strings: 4, Instructions: 864COMMON

Download Yara Rule

Strings

&-, xrefs: 0041E39A
[O_[, xrefs: 0041E2A8
zusR, xrefs: 0041E14E
)R_X, xrefs: 0041E170

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: &-$)R_X$[O_[$zusR
API String ID: 0-3432275560
Opcode ID: 9c1e88994ed028f5b04327f1d1436afa90b67df79647b043f1f73d1dc9718978
Instruction ID: 5890859bd03ddd88b235fb657101ddbf2934de1c8c3864215f367d42e94b454c
Opcode Fuzzy Hash: 9c1e88994ed028f5b04327f1d1436afa90b67df79647b043f1f73d1dc9718978
Instruction Fuzzy Hash: BD42683850C3908FC725DF29C8507AFBBE1AF96314F08466EE8E44B392D7398945C79A

Function 024AB75E Relevance: 5.5, Strings: 4, Instructions: 523COMMON

Download Yara Rule

Strings

%(#}, xrefs: 024AB9A7
1, xrefs: 024ABDC0
/26-, xrefs: 024AB99C
/, xrefs: 024ABB6F

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: %(#}$/$/26-$1
API String ID: 0-261129489
Opcode ID: f133d09027ec2c5d3c2aef6507ecce0520632deac5b770a07f28f5cb5c76ebf0
Instruction ID: 4dd9865bf480284b995dc2ebb7bbcf1d26dc5a7906ebf95f37f46a381d06ec2e
Opcode Fuzzy Hash: f133d09027ec2c5d3c2aef6507ecce0520632deac5b770a07f28f5cb5c76ebf0
Instruction Fuzzy Hash: EDE1E97111D3C18BE765CF29C4617BBBBD6EFA2208F18896ED0D987792D739810AC712

Function 0042B4F7 Relevance: 5.5, Strings: 4, Instructions: 523COMMON

Download Yara Rule

Strings

/26-, xrefs: 0042B735
/, xrefs: 0042B908
1, xrefs: 0042BB59
%(#}, xrefs: 0042B740

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: %(#}$/$/26-$1
API String ID: 0-261129489
Opcode ID: b5f0696b81a42aa6f60329296e76e493f1753759ee01a5998428369545935cda
Instruction ID: 01141288c62049998ddddb8392f03a48052843576c41680a3c86522b868e0cab
Opcode Fuzzy Hash: b5f0696b81a42aa6f60329296e76e493f1753759ee01a5998428369545935cda
Instruction Fuzzy Hash: 17E1076121C3918BE725CF29D4517BBBBD6EFD2304F58896EC0D987392DB38840AC796

Function 024AB763 Relevance: 5.5, Strings: 4, Instructions: 519COMMON

Download Yara Rule

Strings

%(#}, xrefs: 024AB9A7
1, xrefs: 024ABDC0
/26-, xrefs: 024AB99C
/, xrefs: 024ABB6F

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: %(#}$/$/26-$1
API String ID: 0-261129489
Opcode ID: 47b00d7d64a94561f5ec20e782c8b23bde4d21acf7bd80337db5547180c095d9
Instruction ID: 25cbe531ef983319114dc2f5f9fbeed8b6ade6eb375272f66745fd9a61d92d3e
Opcode Fuzzy Hash: 47b00d7d64a94561f5ec20e782c8b23bde4d21acf7bd80337db5547180c095d9
Instruction Fuzzy Hash: 40E1C87151D3C18AE775CF25C4607BBBBD6EFE2208F1848AEC1D987292DB79414AC712

Function 0042B4FC Relevance: 5.5, Strings: 4, Instructions: 519COMMON

Download Yara Rule

Strings

/26-, xrefs: 0042B735
/, xrefs: 0042B908
1, xrefs: 0042BB59
%(#}, xrefs: 0042B740

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: %(#}$/$/26-$1
API String ID: 0-261129489
Opcode ID: 85136c1757dee14467642a6d6da49c775a03d8ccdff6c4bcf62a10f86f43ba84
Instruction ID: 105acce5f4ff7ea6d47210ba8b73cab4478fbe416d66b6a3adf1b721c409ed6c
Opcode Fuzzy Hash: 85136c1757dee14467642a6d6da49c775a03d8ccdff6c4bcf62a10f86f43ba84
Instruction Fuzzy Hash: 16E1F37120C3D18AE735CF2594607BBBBD6EFD2304F5848AEC1C98B292DB39440ACB56

Function 00418578 Relevance: 5.5, Strings: 4, Instructions: 455COMMON

Download Yara Rule

Strings

?TUV, xrefs: 00418704
D@YO, xrefs: 00418B3E
^QRW, xrefs: 00418B45
"w+y, xrefs: 004185AB

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: "w+y$?TUV$D@YO$^QRW
API String ID: 0-2418547040
Opcode ID: b33f7a74249a1930603a4104fb56ed047204ad8f914d8738a10807f3eb918719
Instruction ID: fcb942591893e55783a104e15fa10a8e25e40a6012ded37723e5c7bd10029470
Opcode Fuzzy Hash: b33f7a74249a1930603a4104fb56ed047204ad8f914d8738a10807f3eb918719
Instruction Fuzzy Hash: 3502AB75600701CFD324CF29C891BA2B7F2FF59314F19896DD4968BBA1DB39A841CB44

Function 00423410 Relevance: 5.4, Strings: 4, Instructions: 415COMMON

Download Yara Rule

Strings

DF, xrefs: 00423452
#$, xrefs: 00423496
?{;}, xrefs: 00423815
+oQ, xrefs: 00423838

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: #$$+oQ$?{;}$DF
API String ID: 0-1090792222
Opcode ID: fe6da00e438e1ead2a2d23196ddeab5711043166ad0a78cb1c77591abb4d52b2
Instruction ID: f8f0a3fc3e126b0df0e9da8d66218e0bc810a6f9e0fb1804998ec3192ea1b230
Opcode Fuzzy Hash: fe6da00e438e1ead2a2d23196ddeab5711043166ad0a78cb1c77591abb4d52b2
Instruction Fuzzy Hash: 34E102B4E043549FEB10DF28D942B5EBBB0FB86304F1085ADE598AB381D7758946CF86

Function 00431839 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00431887
GetSystemMetrics.USER32 ref: 00431896

Strings

, xrefs: 0043196A

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 39349761bbbd9d5e5dac84a7f5a9780edeb84eb1621c2c8cfd3bf8aab651dcd4
Instruction ID: 403ffabe11f23b748e06d840ed2f043dd1bcc1ca5a787c04042f92a2a85d24cf
Opcode Fuzzy Hash: 39349761bbbd9d5e5dac84a7f5a9780edeb84eb1621c2c8cfd3bf8aab651dcd4
Instruction Fuzzy Hash: 365173B4E142189FDB40EFACE98569DBBF0BB88310F114529E499E7350D734AD48CF96

Function 0248D25A Relevance: 5.3, Strings: 4, Instructions: 291COMMON

Download Yara Rule

Strings

ZG, xrefs: 0248D4C1
pr, xrefs: 0248D558
BI, xrefs: 0248D4BA
3ej, xrefs: 0248D544

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: BI$ZG$3ej$pr
API String ID: 0-483502859
Opcode ID: f72a1af4f7c4914e3558ee5fe4304fc6666decd496300a2b177a412071557166
Instruction ID: a9a6a3ce15e73643c5f7d304bcc303a0e0c11b028bf89a3e05b05a354b4b9328
Opcode Fuzzy Hash: f72a1af4f7c4914e3558ee5fe4304fc6666decd496300a2b177a412071557166
Instruction Fuzzy Hash: 68A1E3B56117818FD718CF29C590A26BBF2FF96304B1995AEC0D68F7A6D734E802CB10

Function 0040CFF3 Relevance: 5.3, Strings: 4, Instructions: 291COMMON

Download Yara Rule

Strings

3ej, xrefs: 0040D2DD
ZG, xrefs: 0040D25A
BI, xrefs: 0040D253
pr, xrefs: 0040D2F1

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: BI$ZG$3ej$pr
API String ID: 0-483502859
Opcode ID: f72a1af4f7c4914e3558ee5fe4304fc6666decd496300a2b177a412071557166
Instruction ID: f448791ebc0dd286385b88dc6d7820084d2eda887077436efc4f1c5c77796cf1
Opcode Fuzzy Hash: f72a1af4f7c4914e3558ee5fe4304fc6666decd496300a2b177a412071557166
Instruction Fuzzy Hash: 44A1D6B56007818FD714CF29C590A22BFE2FF96300B1995ADC4D69F7A6DB38E806CB54

Function 0249C1AC Relevance: 5.3, Strings: 4, Instructions: 271COMMON

Download Yara Rule

Strings

[^, xrefs: 0249C44F
C\, xrefs: 0249C457
Iz, xrefs: 0249C3C6
-, xrefs: 0249C3CE

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: -$C\$Iz$[^
API String ID: 0-2105564891
Opcode ID: 856b381f3345170c9e1f152739ef8b6d943d9b4d3d608726b0c255f8cc161e2c
Instruction ID: 83feb89783d0e8e03a0af41f1f5f3833bcca062e61b7e43a27f1168e45b05c3c
Opcode Fuzzy Hash: 856b381f3345170c9e1f152739ef8b6d943d9b4d3d608726b0c255f8cc161e2c
Instruction Fuzzy Hash: 7081DCB264C3509FD708CFA9C85185FFBE2EFD5300F59886DE0E58B251D67996068B82

Function 024B6107 Relevance: 5.3, Strings: 4, Instructions: 253COMMON

Download Yara Rule

Strings

V, xrefs: 024B6125
k, xrefs: 024B6116
T, xrefs: 024B611B
U, xrefs: 024B6120

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: T$U$V$k
API String ID: 0-1255220828
Opcode ID: c93e863c5daac2f8ca78168b26a37bbe867cb239aeeaedccae74f18b85e983c0
Instruction ID: b5b315cef96ff8e6603068b3171df72a60ff363c6aba796a5bcb627c89a6e68a
Opcode Fuzzy Hash: c93e863c5daac2f8ca78168b26a37bbe867cb239aeeaedccae74f18b85e983c0
Instruction Fuzzy Hash: B1A1053150C7908AD3069B3898502AFBBD65FC6328F0A4B2EE5E6473D2D675C585C726

Function 00435EA0 Relevance: 5.3, Strings: 4, Instructions: 253COMMON

Download Yara Rule

Strings

T, xrefs: 00435EB4
k, xrefs: 00435EAF
V, xrefs: 00435EBE
U, xrefs: 00435EB9

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: T$U$V$k
API String ID: 0-1255220828
Opcode ID: d7e9605b728d24d94aa6476dc2bc71a6c7b696767e3fd5b61d48fe4e4e80319c
Instruction ID: 419b7bd8d768cf5a93220c289582c9eeb00d0d40764b4ee896287773b3a375b3
Opcode Fuzzy Hash: d7e9605b728d24d94aa6476dc2bc71a6c7b696767e3fd5b61d48fe4e4e80319c
Instruction Fuzzy Hash: 4CA1043110C7918BD708CB38985022FBBE25BDA324F1A9B2EE4E6473D2D679C945C74B

Function 004156A0 Relevance: 4.4, Strings: 3, Instructions: 617COMMON

Download Yara Rule

Strings

in~x, xrefs: 00415AFB
kmbj, xrefs: 00415B8C
ydij, xrefs: 00415B93

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: in~x$kmbj$ydij
API String ID: 0-2624003027
Opcode ID: 368771055179ae10f3d8f5d678ba0a53bce91d3d7d6a2510e556935792b0b895
Instruction ID: f79569228283954ad57b9a6cc496d73d61da5c1ffc761606bfa780fd5c95cafa
Opcode Fuzzy Hash: 368771055179ae10f3d8f5d678ba0a53bce91d3d7d6a2510e556935792b0b895
Instruction Fuzzy Hash: A91245B5600A01CFC7248F24D8D16A7BBA2FF96314F18857ED4968B396E738E842CB55

Function 0249144C Relevance: 4.3, Strings: 3, Instructions: 558COMMON

Download Yara Rule

Strings

V, xrefs: 0249145A
e, xrefs: 02491AA9
0, xrefs: 02491876

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0$V$e
API String ID: 0-3964817793
Opcode ID: c7716370ac8927f06ffe637d3cea15850e05a15dbd07c9effa12d3fdb0013073
Instruction ID: 423e8a31a579725d416adccb6ed0b35f1c0f6d461923490d9d1b775acc227a10
Opcode Fuzzy Hash: c7716370ac8927f06ffe637d3cea15850e05a15dbd07c9effa12d3fdb0013073
Instruction Fuzzy Hash: E922D57260C7818BD7249B39C4943AEBFD2ABC5320F194A6ED5ED873D1DA748941CB42

Function 004111E5 Relevance: 4.3, Strings: 3, Instructions: 558COMMON

Download Yara Rule

Strings

e, xrefs: 00411842
V, xrefs: 004111F3
0, xrefs: 0041160F

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0$V$e
API String ID: 0-3964817793
Opcode ID: 9207e5ff9b94fdf015fcac0bd88a7bc55f734a6a516d8fe41e33a64d42c49df1
Instruction ID: 59230c03b5a3a3693ef44b30c97d38267524f76adfdce6de0efbbb4ceb4d7fde
Opcode Fuzzy Hash: 9207e5ff9b94fdf015fcac0bd88a7bc55f734a6a516d8fe41e33a64d42c49df1
Instruction Fuzzy Hash: 9822E77290C7408BD724DF38C4913AEBBD2ABD5324F194A2EE5E9973D1DA388941CB47

Function 00426054 Relevance: 4.2, Strings: 3, Instructions: 483COMMON

Download Yara Rule

Strings

V3R5, xrefs: 00426774
67, xrefs: 0042677F
dB, xrefs: 004264D2

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 67$V3R5$dB
API String ID: 0-2543814982
Opcode ID: 7d6b17f1b35bfbf9a10135164190d2ab3452f23863bf0e0451f9f93f012d59a2
Instruction ID: 8517aef1948ed283949bb5420b5e04df083ffcb119de912f7f261172b9a423e3
Opcode Fuzzy Hash: 7d6b17f1b35bfbf9a10135164190d2ab3452f23863bf0e0451f9f93f012d59a2
Instruction Fuzzy Hash: 28F145B5A0C361CBC714DF24E85126BB7E1AF86304F09487EE8C297352D739E905CB5A

Function 024987DF Relevance: 4.0, Strings: 3, Instructions: 234COMMON

Download Yara Rule

Strings

DX8Z, xrefs: 02498956
?TUV, xrefs: 0249896B
"w+y, xrefs: 02498812

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: "w+y$?TUV$DX8Z
API String ID: 0-3307990326
Opcode ID: f9c6fa3e94296cf0f303a5eebcc6256c78eaf4459c267ceffca2c103466db4c7
Instruction ID: 7315892df1c7d2f6982ff7657606a7d3c234dbfdcb31354e0a536e57fada5f92
Opcode Fuzzy Hash: f9c6fa3e94296cf0f303a5eebcc6256c78eaf4459c267ceffca2c103466db4c7
Instruction Fuzzy Hash: 5581CE756007128FCB28CF29C890A67BBF2FF96710B19859DD8824FB65E734E841CB55

Function 0248092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 0248095F
l, xrefs: 02480966
GetProcAddress., xrefs: 024809DC, 024809DF, 024809E4

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 8cdf4942245fb07499dfcbfde2d2b629970e6a449e81b357afbaf2dd344a87d1
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 1A314AB6920609DFDB11DF99C880AAEBBF9FF48324F15504AD841A7310D771EA49CFA4

Function 024999D7 Relevance: 3.7, Strings: 2, Instructions: 1211COMMON

Download Yara Rule

Strings

I,~M, xrefs: 0249A6AF
,)*k, xrefs: 0249A0BB

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ,)*k$I,~M
API String ID: 0-936430989
Opcode ID: 33fe9d4cb84d20c875b3126a1f51ea659af71ca5d5df44b5ba46a13c9140ded4
Instruction ID: afa4a11deb1eb790df95643616c704eaece956ec20bd9ac55d847abba478cdf1
Opcode Fuzzy Hash: 33fe9d4cb84d20c875b3126a1f51ea659af71ca5d5df44b5ba46a13c9140ded4
Instruction Fuzzy Hash: D48203746083509FDB248F249884B6FBFE2EFC6718F28892EE58547391D772D842CB56

Function 00419770 Relevance: 3.7, Strings: 2, Instructions: 1211COMMON

Download Yara Rule

Strings

,)*k, xrefs: 00419E54
I,~M, xrefs: 0041A448

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ,)*k$I,~M
API String ID: 2994545307-936430989
Opcode ID: 6e5cbd4c0569671f9ac2a4ffa403741c4e36febb6378435fdd9cada9aaa80cb0
Instruction ID: 1bde8819f6f7b7dbc416330df06e5e5b0ea208d0a860aecc15c429cbd1f7d48d
Opcode Fuzzy Hash: 6e5cbd4c0569671f9ac2a4ffa403741c4e36febb6378435fdd9cada9aaa80cb0
Instruction Fuzzy Hash: FF8248746093405BD724CF24D890BAFBBE2EBC6714F28892DE4C547392D679DC92CB4A

Function 02484F17 Relevance: 3.3, Strings: 2, Instructions: 833COMMON

Download Yara Rule

Strings

8, xrefs: 0248588E
0, xrefs: 02485896

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 1f5ddf3591017bac3152340072b73a16e36c3305254729570d47587b87dca0fe
Instruction ID: f0c4bd5c9194a8ed730c7f84f1bc27d05230b103ef3380e9355d08bb5a22abd2
Opcode Fuzzy Hash: 1f5ddf3591017bac3152340072b73a16e36c3305254729570d47587b87dca0fe
Instruction Fuzzy Hash: E27235716183409FD724DF18C880BAFBBE1AF88314F45892EF9898B391D775D948CB92

Function 00404CB0 Relevance: 3.3, Strings: 2, Instructions: 833COMMON

Download Yara Rule

Strings

0, xrefs: 0040562F
8, xrefs: 00405627

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 1f5ddf3591017bac3152340072b73a16e36c3305254729570d47587b87dca0fe
Instruction ID: d40c633f6dc63a9644a0400b392de52ca6438bdc0a59f23ad90aea60c423d6c9
Opcode Fuzzy Hash: 1f5ddf3591017bac3152340072b73a16e36c3305254729570d47587b87dca0fe
Instruction Fuzzy Hash: BC7213716087409FD714CF18C880BABBBE1EB88314F04892EF9899B391D379D948DF96

Function 0248DF8C Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 320COMMON

Download Yara Rule

APIs

CoUninitialize.COMBASE ref: 0248DF9C

Strings

PT, xrefs: 0248E1CA

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID: PT
API String ID: 3861434553-4135314810
Opcode ID: 2838c07cfca04fbe2cabb14719c9c0661598261e54099377b9e0bd013184ce3a
Instruction ID: 509d1b93eee6ce9a1ae496d8d3fcf9a0424700ff1f041aaa68fc307b5d1c2203
Opcode Fuzzy Hash: 2838c07cfca04fbe2cabb14719c9c0661598261e54099377b9e0bd013184ce3a
Instruction Fuzzy Hash: 64A113B46187918FD326CF39C4A0A66BFE1EF57204B18869DD8D24FB66D339D406CB11

Function 0040DD25 Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 320COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0040DD35

Strings

PT, xrefs: 0040DF63

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID: PT
API String ID: 3861434553-4135314810
Opcode ID: 2838c07cfca04fbe2cabb14719c9c0661598261e54099377b9e0bd013184ce3a
Instruction ID: 75a7993a4975897b3fffe1a5d6229db9520caabe5b699855c7cd795a636d0404
Opcode Fuzzy Hash: 2838c07cfca04fbe2cabb14719c9c0661598261e54099377b9e0bd013184ce3a
Instruction Fuzzy Hash: 68A1C0B4508B818FD326CF69C490A22BFE1EF57300B1996ADC4D25F7A6D339E806CB55

Function 004223B8 Relevance: 3.3, Strings: 2, Instructions: 772COMMON

Download Yara Rule

Strings

B*B, xrefs: 00422A24, 00422A2F
"*B, xrefs: 00422A0D

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: "*B$B*B
API String ID: 0-3938277345
Opcode ID: ca0737ad3b4449c2b88f5e3ab455cb045f7dc09c4e14c18ef94007a83bd96a02
Instruction ID: c0ff169c622c87bee100c6609ea31c9af3570951461718032b7520edbb3c94ef
Opcode Fuzzy Hash: ca0737ad3b4449c2b88f5e3ab455cb045f7dc09c4e14c18ef94007a83bd96a02
Instruction Fuzzy Hash: 53421276A00211DFCB18CF68DC90AAEB7B2FF49310F598179E905AB395D734AD11CB84

Function 00437399 Relevance: 3.0, Strings: 2, Instructions: 455COMMON

Download Yara Rule

Strings

., xrefs: 00437535
kl, xrefs: 004377AC

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: .$kl
API String ID: 0-2631956018
Opcode ID: d144eace9ea77f902bcb9140e81b2a0528f571a57748096d515ff42ca28c8b60
Instruction ID: 6e525d0f0299ed0e456b3adafb39e2bcab09d4ef44449d93680b2b5d8b67f0fb
Opcode Fuzzy Hash: d144eace9ea77f902bcb9140e81b2a0528f571a57748096d515ff42ca28c8b60
Instruction Fuzzy Hash: 1FE1173A218709CBCB189F78EC5127A73F1FF4A741F4A887DD8818B2A1E7B99950C714

Function 0248ABA7 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

BE, xrefs: 0248ADC4
de, xrefs: 0248AD5A

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: BE$de
API String ID: 0-1272349043
Opcode ID: 4d61e13fd748368ac6030c890ff82cb0220032c3e56c3c983d389722b1fc0e45
Instruction ID: a3400a792dbe62ec94cc1ff4fa32dd1f163f65084384a4d3b31ff9b3345a5ce3
Opcode Fuzzy Hash: 4d61e13fd748368ac6030c890ff82cb0220032c3e56c3c983d389722b1fc0e45
Instruction Fuzzy Hash: 9BD10A7265C3644BD724EF2888516AFFBD2EFC2208F18496EE8D19B391D775C506CB82

Function 0040A940 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

de, xrefs: 0040AAF3
BE, xrefs: 0040AB5D

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: BE$de
API String ID: 0-1272349043
Opcode ID: 4d61e13fd748368ac6030c890ff82cb0220032c3e56c3c983d389722b1fc0e45
Instruction ID: 2d7de7b673e5cb152189fb1770f850f450cdad5ace7171a4f245c8b9200c7c18
Opcode Fuzzy Hash: 4d61e13fd748368ac6030c890ff82cb0220032c3e56c3c983d389722b1fc0e45
Instruction Fuzzy Hash: 2BD1057264C3544BD728DF2888516AFBBE2AFC2304F19492DE8D1AB391D678C916C787

Function 024845D7 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

IEND, xrefs: 024849C8
), xrefs: 02484652

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 77fecbe1ae68033b4a8663d8c056a40f5f9b3b2dca52a2b3e7224ada374ec122
Instruction ID: e1816e4ec8c87f1ea5c1a08517835fdc413b418ad9c2f9b45a8b33971d1ea1ef
Opcode Fuzzy Hash: 77fecbe1ae68033b4a8663d8c056a40f5f9b3b2dca52a2b3e7224ada374ec122
Instruction Fuzzy Hash: 66D1BFB19083459FE720EF28C840B5FBBE5AF94304F04492EF999AB381D775D948CB92

Function 004239F2 Relevance: 2.8, Strings: 2, Instructions: 296COMMON

Download Yara Rule

Strings

?{;}, xrefs: 00423815
+oQ, xrefs: 00423838

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: +oQ$?{;}
API String ID: 0-1414831546
Opcode ID: 1ee29228f1a6319e217c168091de010b371413e67c26b3c1ec204d280338f3ea
Instruction ID: f7e0cf01948a060ca3ae4ae96257901d3d9473cfc3be429b8585dccf822635a3
Opcode Fuzzy Hash: 1ee29228f1a6319e217c168091de010b371413e67c26b3c1ec204d280338f3ea
Instruction Fuzzy Hash: BCB1BFB4E043189FEB20DF68D942B9EBBB0FB45304F1081ADE158AB381D7758946CF96

Function 024AB427 Relevance: 2.8, Strings: 2, Instructions: 271COMMON

Download Yara Rule

Strings

Fg, xrefs: 024AB4BE
RU]l, xrefs: 024AB43F

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: Fg$RU]l
API String ID: 0-3680832515
Opcode ID: 212695677cf782d22b69bcc5005693ffe3c19f735568b368facab7bd000f874a
Instruction ID: 23352fc8e9d744e6c6d5e1c93ed4da7102920fdd9c62647b41baec33340df81d
Opcode Fuzzy Hash: 212695677cf782d22b69bcc5005693ffe3c19f735568b368facab7bd000f874a
Instruction Fuzzy Hash: 5771C77121D3808BE7798F25C8617EB7BD3EBE2218F18996DC0D947392DB39400ADB12

Function 0042B1C0 Relevance: 2.8, Strings: 2, Instructions: 271COMMON

Download Yara Rule

Strings

RU]l, xrefs: 0042B1D8
Fg, xrefs: 0042B257

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: Fg$RU]l
API String ID: 0-3680832515
Opcode ID: 2cdefad0313fa6e4cc5bdb883f2834b1e6d918137519908ea04b1d30e5e067f0
Instruction ID: 6f8db59bce85ef316af4e5eced37d01641f7d5c841364d3efc2c21db6cf2a903
Opcode Fuzzy Hash: 2cdefad0313fa6e4cc5bdb883f2834b1e6d918137519908ea04b1d30e5e067f0
Instruction Fuzzy Hash: 2171087120D3808BE7398F25D8A57EB7BD2EBD2304F58996DC0C987392DB78440ACB56

Function 004256F9 Relevance: 2.7, Strings: 2, Instructions: 219COMMON

Download Yara Rule

Strings

h, xrefs: 004258EC
O28+, xrefs: 00425935, 00425942

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: O28+$h
API String ID: 0-657163135
Opcode ID: 8dd85ae810d5b5fecc68ec4464ee5e33d050158683b23acf0f2d06bcda51bc6b
Instruction ID: 943cae955c8ebe7c4b26d457fd1afafbf5e793f4316e69c7cecf830d1c43eab0
Opcode Fuzzy Hash: 8dd85ae810d5b5fecc68ec4464ee5e33d050158683b23acf0f2d06bcda51bc6b
Instruction Fuzzy Hash: B561BE32B887258BD3149A38A8901B7F791EB55350F88473EDD96873C2E63C9D09C3DA

Function 024BCD87 Relevance: 2.6, Strings: 2, Instructions: 141COMMON

Download Yara Rule

Strings

@, xrefs: 024BCE5C
ihgf, xrefs: 024BCE7A

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: @$ihgf
API String ID: 0-73152791
Opcode ID: f9d2302128f83c98de01ee7664bc871aec8e86cdf99c8f751253d6371e8ab131
Instruction ID: edb45b757f3296fd3e75d76d1f1fed6797a38a386dc29e24633baeaf1c52c19b
Opcode Fuzzy Hash: f9d2302128f83c98de01ee7664bc871aec8e86cdf99c8f751253d6371e8ab131
Instruction Fuzzy Hash: 4F4102B5A042018FD715CF24C8C17BBB7A6FF82318F14862EE5959B390E735A915CBA2

Function 0043CB20 Relevance: 2.6, Strings: 2, Instructions: 141COMMON

Download Yara Rule

Strings

@, xrefs: 0043CBF5
ihgf, xrefs: 0043CC13

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: @$ihgf
API String ID: 2994545307-73152791
Opcode ID: b76e2e665ab3f88f5f7ecfe080de7e118712eda281a429bd95dd341074e0adb8
Instruction ID: cc847ee4b474d0efd8a0440ac8e8375c275344d67ffd0b73ceeb6cce142f8bff
Opcode Fuzzy Hash: b76e2e665ab3f88f5f7ecfe080de7e118712eda281a429bd95dd341074e0adb8
Instruction Fuzzy Hash: 6D413AB1A043018BD714CF24D89277BB7A1FFCA318F14952DD489AB391E739E915C78A

Function 0249554C Relevance: 2.6, Strings: 2, Instructions: 113COMMON

Download Yara Rule

Strings

^P, xrefs: 024955B2
Z\, xrefs: 024955AB

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: Z\$^P
API String ID: 0-3724859648
Opcode ID: 4f7f96cc206f4a51d8ad8bab145ebd28e0a9ebd1b083b1ab060fd53171580dc2
Instruction ID: 3ed233613240f3d48e8c476488e5d4917bc9795eedf7bb8d14322ae44cdbc2e1
Opcode Fuzzy Hash: 4f7f96cc206f4a51d8ad8bab145ebd28e0a9ebd1b083b1ab060fd53171580dc2
Instruction Fuzzy Hash: 7C41C2B1911600CFCB19CF28C891A62BBB2FF89324B16855DD49A8F765E734E842CB55

Function 0042750D Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

AzB, xrefs: 004275AA
`rB, xrefs: 00427341

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: AzB$`rB
API String ID: 0-365317308
Opcode ID: 7d44a20d46df19d3b9013d5ff9cf62f4e3051a7763f9fbf866a5162179f586f0
Instruction ID: 6eccde100400f429e4c459893b2eae1b4256d2ec662aaeb68cc10dd30f14b8df
Opcode Fuzzy Hash: 7d44a20d46df19d3b9013d5ff9cf62f4e3051a7763f9fbf866a5162179f586f0
Instruction Fuzzy Hash: 44118BB960C3919FC3049F29D59011BFBE0ABD5708F54DA6CE8C96B312D338DA018B8A

Function 00427326 Relevance: 2.5, Strings: 2, Instructions: 40COMMON

Download Yara Rule

Strings

AzB, xrefs: 004275AA
`rB, xrefs: 00427341

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: AzB$`rB
API String ID: 0-365317308
Opcode ID: d52ee1f8136c3b98c0a9c934921d80b1beb3214e8eb7b5d6a7a040de55795b14
Instruction ID: f6425de8d121e4265380cb8b8556ee32d0ff2cc323f56d540e3951a84df8493e
Opcode Fuzzy Hash: d52ee1f8136c3b98c0a9c934921d80b1beb3214e8eb7b5d6a7a040de55795b14
Instruction Fuzzy Hash: 810169B520D3919FC3049F29D59011BFBE0BBD5708F549A6CE8C96B312D334DA418B4A

Function 00417582 Relevance: 2.2, Strings: 1, Instructions: 985COMMON

Download Yara Rule

Strings

c$, xrefs: 00417707

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: c$
API String ID: 0-2516980088
Opcode ID: d3ebbaef30565196f274c8e89b57c4db92bba8447b693202f34b7e37aa6ab2c1
Instruction ID: 8ddf10d90ef0e2d4ef8b1445a283de62437e0b874c2761f734db7318cd05b52d
Opcode Fuzzy Hash: d3ebbaef30565196f274c8e89b57c4db92bba8447b693202f34b7e37aa6ab2c1
Instruction Fuzzy Hash: 2F6205742087418FD7258F28C8907A7BBF2FF5A310F19866DD4964B792D338E846CB58

Function 024B9A97 Relevance: 1.9, Strings: 1, Instructions: 681COMMON

Download Yara Rule

Strings

f, xrefs: 024B9CCC

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: f
API String ID: 0-1993550816
Opcode ID: 63a83f5a27331d9fe3a04257bda5fcaf30bc217a6dc898aca3077588f1bd9e28
Instruction ID: fd76e4508406a8fdf5ee9760a4cce4852087ffa567f57879faa4c9efc23ed29f
Opcode Fuzzy Hash: 63a83f5a27331d9fe3a04257bda5fcaf30bc217a6dc898aca3077588f1bd9e28
Instruction Fuzzy Hash: 3B22E1756083518FD719CF25C880B6BBBE2BFC9314F188A2EE59587391DB70D806CB62

Function 00439830 Relevance: 1.9, Strings: 1, Instructions: 681COMMON

Download Yara Rule

Strings

f, xrefs: 00439A65

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: f
API String ID: 2994545307-1993550816
Opcode ID: b46a8015aa8989e18fcfc994abe159656f3f5075906cadacb80bce7823f6c0cd
Instruction ID: c6061003a35e321c419c30bd02a3c4e1c0b56f4f8cbc670ef9e4360bbe252bef
Opcode Fuzzy Hash: b46a8015aa8989e18fcfc994abe159656f3f5075906cadacb80bce7823f6c0cd
Instruction Fuzzy Hash: 7722EF756083518FD718CF25C880A2BBBE2BBC9314F199A2DE4D587391DBB4EC06CB46

Function 00415F66 Relevance: 1.9, Strings: 1, Instructions: 605COMMON

Download Yara Rule

Strings

A67H, xrefs: 004164FD

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: A67H
API String ID: 0-3389657328
Opcode ID: 8cecec2cc2e6e176e845aa1397af3039d5d67745fd03e8a435e279ebfdfa12b2
Instruction ID: 0278bb419d5cbe6ad6e5f6493e2644ba58dfc9cb1efb87832400374d385c740d
Opcode Fuzzy Hash: 8cecec2cc2e6e176e845aa1397af3039d5d67745fd03e8a435e279ebfdfa12b2
Instruction Fuzzy Hash: A81225B4604601DFC724CF28D891767B7E2FF5A314F15892DE4AA87792D738E882CB58

Function 02498F35 Relevance: 1.8, Strings: 1, Instructions: 598COMMON

Download Yara Rule

Strings

[, xrefs: 0249942B

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: [
API String ID: 0-3878419350
Opcode ID: 5eb09604ed9747dca5d4520930199d487a8f62beec0cfa78d34f9f01c84922a2
Instruction ID: fa7c806fdbc4176f12455e09202549721930326aa32a2ff69709370a49a8f25c
Opcode Fuzzy Hash: 5eb09604ed9747dca5d4520930199d487a8f62beec0cfa78d34f9f01c84922a2
Instruction Fuzzy Hash: D0021075600702CBCB34CF29C8D1667BBF2FF9A314B19859DC4864BBA5EB39A412CB50

Function 024B6E67 Relevance: 1.7, Strings: 1, Instructions: 453COMMON

Download Yara Rule

Strings

,)*k, xrefs: 024B6F8C

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ,)*k
API String ID: 0-1228391949
Opcode ID: 81a23c36fe8827921ec37ff3d571e3748504ad247d1e8451f876af876380c648
Instruction ID: 449372fe72bdc05897a95865896d0a563ed0b6f0f380e8c7e837a40e0ad4d11f
Opcode Fuzzy Hash: 81a23c36fe8827921ec37ff3d571e3748504ad247d1e8451f876af876380c648
Instruction Fuzzy Hash: 55C15876A083504BD716DF21C880AAFFBE6AFC6704F19892EE68557790D7319841CBB2

Function 00436C00 Relevance: 1.7, Strings: 1, Instructions: 453COMMON

Download Yara Rule

Strings

,)*k, xrefs: 00436D25

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ,)*k
API String ID: 2994545307-1228391949
Opcode ID: ee2511f57d07ddc5dcb30b837298e4dd3a8f37d85f1e3bd68ab8ff00062e0fa2
Instruction ID: bb41e8b13f176b197a8e10d4dde50fa6e0ce8ca76c9034d38a3517968bb0ad29
Opcode Fuzzy Hash: ee2511f57d07ddc5dcb30b837298e4dd3a8f37d85f1e3bd68ab8ff00062e0fa2
Instruction Fuzzy Hash: F4C15A75A083116FD724DF21D881A2BB7E2ABDE704F16AA2EE5C553781D638DC04C78A

Function 00427DA2 Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

m, xrefs: 00427DE0

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 06c799813fc5a4d2ee9ed489dbc55438d2506092defca999b9944da2a72204aa
Instruction ID: 244b2cefeb1f5bc2c232bbf8925c55c2a37160be3d0d910679bc8471d4ecd8fe
Opcode Fuzzy Hash: 06c799813fc5a4d2ee9ed489dbc55438d2506092defca999b9944da2a72204aa
Instruction Fuzzy Hash: C6D134B5A093109FC320DF24D89126FB7A2EF96304F49492EE9D587352EB38D905CB96

Function 024A5BF7 Relevance: 1.7, Strings: 1, Instructions: 445COMMON

Download Yara Rule

Strings

167H, xrefs: 024A5CCC

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 167H
API String ID: 0-2704650348
Opcode ID: 58de4fbba54e7a4bbde6691defe3cface4003d97f8efe76fd78e15d75b2f64aa
Instruction ID: 471544097740ab14813bcf70aa3c5efef477192c08753e7980c08d360f4fb475
Opcode Fuzzy Hash: 58de4fbba54e7a4bbde6691defe3cface4003d97f8efe76fd78e15d75b2f64aa
Instruction Fuzzy Hash: F4D18972A093444BD714CF288CA17ABB792EFE5314F59862EE985873C1D735D906CB81

Function 0249C921 Relevance: 1.7, Strings: 1, Instructions: 445COMMON

Download Yara Rule

Strings

. , xrefs: 0249C9CE

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-1505114982
Opcode ID: 2c1d9dc035ef9ac2c180075a27f0a445723f05ffce5a25362c8fe712cfd5ed31
Instruction ID: 749b7616d8414959277a48cdb97a749364f26450334e55306b5d6e3cf411a9a5
Opcode Fuzzy Hash: 2c1d9dc035ef9ac2c180075a27f0a445723f05ffce5a25362c8fe712cfd5ed31
Instruction Fuzzy Hash: 47C1F8B5D006118BCF24CF29C8917BBBBB1FF89314F19825ED895AB790E734A941CB90

Function 00425990 Relevance: 1.7, Strings: 1, Instructions: 445COMMON

Download Yara Rule

Strings

167H, xrefs: 00425A65

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: 167H
API String ID: 2994545307-2704650348
Opcode ID: 3f7913c2959e065ee0aa93dc333931d67ae9576e316e456e6394b25aa21ac57b
Instruction ID: bf2ece600eee686df0bdf1c423ff2d06ad0eddb47c6a63d29c729e7fd306df6e
Opcode Fuzzy Hash: 3f7913c2959e065ee0aa93dc333931d67ae9576e316e456e6394b25aa21ac57b
Instruction Fuzzy Hash: 35D19932B147244BD714CF25A8816BBB792EBD5314F99862EE885973C1E7389D05838A

Function 0041C6BB Relevance: 1.7, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

. , xrefs: 0041C767

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-1505114982
Opcode ID: 8f11379e9f5da3686c670748926b93a19e55d1189e69eb2577bbd794f9e5e048
Instruction ID: 5388aebb9722ef47512ed6758712c035957564ba8f43e3dcaa493907b87915b9
Opcode Fuzzy Hash: 8f11379e9f5da3686c670748926b93a19e55d1189e69eb2577bbd794f9e5e048
Instruction Fuzzy Hash: 5FC12AB5D40212CBCB24CF69CC916BBB7B1FF95310F19825DD896AB390E738A841CB94

Function 00428BE9 Relevance: 1.7, Strings: 1, Instructions: 426COMMON

Download Yara Rule

Strings

H, xrefs: 004290E3

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: f90cc14d5b1d07471296a569d27c41b333f7458cf0fcf530a90d726fe5722012
Instruction ID: 0c29c4f326a3360d4f83cd19facfb249d1e6e8dcfa8d7f8eb9091c930c4cf0c7
Opcode Fuzzy Hash: f90cc14d5b1d07471296a569d27c41b333f7458cf0fcf530a90d726fe5722012
Instruction Fuzzy Hash: 69D17634B05254CFDB14CF78E8D16AEBBB2AF1A310F6841BDE5519B392CB384906CB59

Function 024A1F77 Relevance: 1.7, Strings: 1, Instructions: 425COMMON

Download Yara Rule

Strings

&#, xrefs: 024A1FE4

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: &#
API String ID: 0-1789715784
Opcode ID: 0f12d66f6b808d20c475992f0f687e3f453dd6e3f6f88e05d52d4cafb9cead41
Instruction ID: 380cf20ea5d2411fe0cf3851994aea14201550f8249a442476bdf97d01bf174f
Opcode Fuzzy Hash: 0f12d66f6b808d20c475992f0f687e3f453dd6e3f6f88e05d52d4cafb9cead41
Instruction Fuzzy Hash: 7BA17BB26082105BD715DB28CCA277BB3E1EFA1324F09852EED969B3C0E3B4D905D752

Function 00421D10 Relevance: 1.7, Strings: 1, Instructions: 425COMMON

Download Yara Rule

Strings

&#, xrefs: 00421D7D

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: &#
API String ID: 0-1789715784
Opcode ID: 218c5c0ac0dda5540e0c1ea4323a3af347f339793a0b8cf238deabf448903b3e
Instruction ID: c9f534a10d10fcbb0aeeb65dde57b2602cc7be5083ad25e1a4bd69b4b534b867
Opcode Fuzzy Hash: 218c5c0ac0dda5540e0c1ea4323a3af347f339793a0b8cf238deabf448903b3e
Instruction Fuzzy Hash: 6FA14B71B042205BD7249B289C5267BB3E1EFA1324F89852EF896973D1E77CED01C35A

Function 0041CB05 Relevance: 1.7, Strings: 1, Instructions: 407COMMON

Download Yara Rule

Strings

. , xrefs: 0041CBA7

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-1505114982
Opcode ID: 5d6aea454a76d2159c148964020a4ba4746a54c1e6cbfad0a7af44267aa07dc3
Instruction ID: df86e8cabfd52562b6ebe50b702b66c3677f2f48fb8aab21b174fbacb2a831e7
Opcode Fuzzy Hash: 5d6aea454a76d2159c148964020a4ba4746a54c1e6cbfad0a7af44267aa07dc3
Instruction Fuzzy Hash: 8AB1F4B5E402128BCB248F68CC927A7B7B1FF55314F19915ED845AB790E738AC42C7D4

Function 024883C7 Relevance: 1.6, Strings: 1, Instructions: 399COMMON

Download Yara Rule

Strings

-, xrefs: 024884EC

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 27c89adea84a4971459812ff31a4728146f694fcb44008b8af47e8cd9ff8a59b
Instruction ID: ae89ce379813568deb0bbb84b14992f19032d2708220660c784847ba3a350cec
Opcode Fuzzy Hash: 27c89adea84a4971459812ff31a4728146f694fcb44008b8af47e8cd9ff8a59b
Instruction Fuzzy Hash: 07D10C31A187494BC718EE29C89026FBBE3EFC1624F588A2EE4E5173D5D7389945CB81

Function 0249C528 Relevance: 1.6, Strings: 1, Instructions: 342COMMON

Download Yara Rule

Strings

de, xrefs: 0249C5B4

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: de
API String ID: 0-2106599819
Opcode ID: 859681f232736f0ad411de2e9c44a8bd8c96edd644b44a10bf2b24b8f8322015
Instruction ID: 3c9150d9ff40b1b37d16856c17321ed8f55643978e51e74a7a13a5c4cb7861a5
Opcode Fuzzy Hash: 859681f232736f0ad411de2e9c44a8bd8c96edd644b44a10bf2b24b8f8322015
Instruction Fuzzy Hash: 4E9132719083118BC724DF28C8D276BBBF2EF99324F18992EE4D64B391E7798505C792

Function 0249D4D7 Relevance: 1.6, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

~, xrefs: 0249D5A2

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 0586b10d706dca5a64b5c4dddf8e23f91b5afc25d5560ad33649bb62161a3210
Instruction ID: 06779590fa8c69f09aefe10d0ff5973972e3a51979e18899104f063af5ed9aaf
Opcode Fuzzy Hash: 0586b10d706dca5a64b5c4dddf8e23f91b5afc25d5560ad33649bb62161a3210
Instruction Fuzzy Hash: 8EA12976E046619FCB15CE28CC8066BBBE1AF85324F19867EECA997391D7318C06C791

Function 0041D270 Relevance: 1.6, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

~, xrefs: 0041D33B

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 717fb99ad837fa00688aa9d47cfa2cea6a0f0870295f069540f30f335af8ffc8
Instruction ID: fb8d2d24bbcf8da77d425a74861fbc6d37f4fcabb9a6f9815e5d7f96e75daac0
Opcode Fuzzy Hash: 717fb99ad837fa00688aa9d47cfa2cea6a0f0870295f069540f30f335af8ffc8
Instruction Fuzzy Hash: E2A14772E042215FCB15CE2888806ABB7D1ABD5324F19823EECB99B3D2D634DD0697D1

Function 00426E50 Relevance: 1.6, Strings: 1, Instructions: 326COMMON

Download Yara Rule

Strings

RpB, xrefs: 00426FEB

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: RpB
API String ID: 0-664042118
Opcode ID: d81e78c847e0577fff4fe054f0d5c7df3a35ca67ad11338b1f5183c552fb7e2c
Instruction ID: f37ba1eb55105a71e6c02689e7a75f224f26334d47d5f70d86fb510902375083
Opcode Fuzzy Hash: d81e78c847e0577fff4fe054f0d5c7df3a35ca67ad11338b1f5183c552fb7e2c
Instruction Fuzzy Hash: 09B12532A0C391CFD314CF28E89072AB7E2BF8A711F1A4A6DE59597391C7349D45CB4A

Function 004252BA Relevance: 1.6, Strings: 1, Instructions: 303COMMON

Download Yara Rule

Strings

d1, xrefs: 004254D0

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: d1
API String ID: 0-4211392460
Opcode ID: 3abdf2bcb45d9466dd71f56e8b033396586f3e76f733206a88a727156f1065f4
Instruction ID: 74c04020a71521c8b9984734295d0b81cdc6df3862d17ec890c7cf8b211da757
Opcode Fuzzy Hash: 3abdf2bcb45d9466dd71f56e8b033396586f3e76f733206a88a727156f1065f4
Instruction Fuzzy Hash: 409112B5618200DFD714DF24E881A7BB7A0FB8A705F84593EF48693361DB38C9158B4A

Function 024BDA97 Relevance: 1.5, Strings: 1, Instructions: 299COMMON

Download Yara Rule

Strings

cdef, xrefs: 024BDAFC

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: cdef
API String ID: 0-4216504194
Opcode ID: 6cfb0631b4c3af94e0a4d7ca533938db559d7b6d0bfe02f92feebc81ba876585
Instruction ID: 572ca5d0947c520602ad4aba03d7ce4505958a586629e3af2f8388d03d5464aa
Opcode Fuzzy Hash: 6cfb0631b4c3af94e0a4d7ca533938db559d7b6d0bfe02f92feebc81ba876585
Instruction Fuzzy Hash: 94814871A08350CFC726CF14C890AABBBA1EFD6714F28896DD9D557395D731A801CBA2

Function 0043D830 Relevance: 1.5, Strings: 1, Instructions: 299COMMON

Download Yara Rule

Strings

cdef, xrefs: 0043D895

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: cdef
API String ID: 2994545307-4216504194
Opcode ID: d9e8f1ee42311986f1eec1db1d15d5cb27079d05f35c354e80ab23b15ff2b9d0
Instruction ID: d704160fc5b89d86d9794d8a66ae716d782a0973953182dc9c1641cf0cee7e05
Opcode Fuzzy Hash: d9e8f1ee42311986f1eec1db1d15d5cb27079d05f35c354e80ab23b15ff2b9d0
Instruction Fuzzy Hash: 30815471A083108FC718DF24E88096BBBA2EFDA310F19993DE9D557352C735AC05C786

Function 0249734A Relevance: 1.5, Strings: 1, Instructions: 274COMMON

Download Yara Rule

Strings

gfff, xrefs: 02497559

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: c5d9ff75fed77c201b8d14b3cc3b758706ca82fef0a51ed8aa8899dc59fb4eb5
Instruction ID: b72094360f49f593122c80eda49c80655e3dd75c4d2e22d7dcdaa45787506178
Opcode Fuzzy Hash: c5d9ff75fed77c201b8d14b3cc3b758706ca82fef0a51ed8aa8899dc59fb4eb5
Instruction Fuzzy Hash: 2C91E4B16507428FD724CF39C850BA6BBD2EB86314F18C57EC596CB796EB78A442C740

Function 024977E9 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

c$, xrefs: 0249796E

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: c$
API String ID: 0-2516980088
Opcode ID: bc3c15472f07d559a5396f8094059b7ab067923e86a285eaa48d66e2478d2574
Instruction ID: 1b5f3761f8c1b73a5bb898a2eb0581f8d149aa154b083609e48ed751defe9bdb
Opcode Fuzzy Hash: bc3c15472f07d559a5396f8094059b7ab067923e86a285eaa48d66e2478d2574
Instruction Fuzzy Hash: 349179B01117418FEB64CF25C8A0B63BBB2FF46318F159589C4864FBA1E379A846CB94

Function 024AB393 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

Fg, xrefs: 024AB4BE

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: Fg
API String ID: 0-875302535
Opcode ID: 42a71ed4ddc16415858e4dfc4422956aad04ddc95995e0a2601de5add053e1e2
Instruction ID: 6364b440988ee8a53e54544f774f6c722a4190974d959617f58207090a1b733b
Opcode Fuzzy Hash: 42a71ed4ddc16415858e4dfc4422956aad04ddc95995e0a2601de5add053e1e2
Instruction Fuzzy Hash: 1581987161D3808AD7698F25C8657FBBBD3EBE2308F18996DC1D987392DB35400ACB16

Function 0042B12C Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

Fg, xrefs: 0042B257

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: Fg
API String ID: 0-875302535
Opcode ID: cec98c6035f8278796335b79b8fe425f66d685e3fc2c40d87c06063720ff0d23
Instruction ID: 81bd39487229f81fa75b1a19b8121f8c05985a2d1a0f7b16a24bef680633e699
Opcode Fuzzy Hash: cec98c6035f8278796335b79b8fe425f66d685e3fc2c40d87c06063720ff0d23
Instruction Fuzzy Hash: 6F81E47121D3808BE768CF25C8657ABBBD2EBD2304F58896DC1C987392DB38440ACB56

Function 02486117 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 0248624D

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 735cee050c0adee449850ba2ce1bb04225bd749ef176fa0d293106b9e62c3734
Instruction ID: bf278aadbb20038f6aab9d648416dd1b324c1514d35fea2726600984c625ad27
Opcode Fuzzy Hash: 735cee050c0adee449850ba2ce1bb04225bd749ef176fa0d293106b9e62c3734
Instruction Fuzzy Hash: 93B148706083859FC361DF18C98062FFBE4AFA9604F444A2EE5D997342D631E918CBA7

Function 00405EB0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 00405FE6

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 735cee050c0adee449850ba2ce1bb04225bd749ef176fa0d293106b9e62c3734
Instruction ID: 6b9defcb35fa499ff27616791264c6e5e8496363bec20089c87d7e70d31ec12b
Opcode Fuzzy Hash: 735cee050c0adee449850ba2ce1bb04225bd749ef176fa0d293106b9e62c3734
Instruction Fuzzy Hash: 72B136701087819FC321CF18C88061BBBE0AFA9704F444E6EF5D997382D635E918CBA7

Function 0249B348 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

js{g, xrefs: 0249B5B3

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: js{g
API String ID: 0-1014319796
Opcode ID: 2bedd816319602fe80fa94cf924704a6c11e2863fdffa8fa3602250936590e55
Instruction ID: f3dd9fa4310f82fc78a4f82b1fb38002df3e41983b5c04b0e86dde49876ea9e1
Opcode Fuzzy Hash: 2bedd816319602fe80fa94cf924704a6c11e2863fdffa8fa3602250936590e55
Instruction Fuzzy Hash: CA813271240B804BEB398F35D8517ABBBE2AB52718F08895DD5C39BF85C3B8E406CB00

Function 0041B0E1 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

js{g, xrefs: 0041B34C

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: js{g
API String ID: 0-1014319796
Opcode ID: 9c18fcfdf183d3e6e2325b026543344db9fcf0b9b7ccceb31fbfaeb5f3b5c64c
Instruction ID: 14be18684298a51b6f1365b8eea6b5aba3066a4a8cfe6059be97ad669d3f7baa
Opcode Fuzzy Hash: 9c18fcfdf183d3e6e2325b026543344db9fcf0b9b7ccceb31fbfaeb5f3b5c64c
Instruction Fuzzy Hash: FF815671650B804BE7398F35C8517ABBBE2AB56718F08895DD4D39BB85C378E406CB44

Function 0041714B Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

gfff, xrefs: 004172F2

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: gfff
API String ID: 2994545307-1553575800
Opcode ID: edeab19d381afadd31cc405ebd905f0fbf719b22c328d17ebe50dae378019542
Instruction ID: c6a45f7a1688543314b9a3a30fef6f223fff4d1289bb41df6adbe344278a34bf
Opcode Fuzzy Hash: edeab19d381afadd31cc405ebd905f0fbf719b22c328d17ebe50dae378019542
Instruction Fuzzy Hash: 0F81D2717147418FD325CB39CC50BA6BBE2AB95308F18C57ED096CB7A6EA78A842C744

Function 024BD557 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

ihgf, xrefs: 024BD57C

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ihgf
API String ID: 0-2948842496
Opcode ID: eef0a356b23e55d2308e20bed1a6a7dcd73da6f3f0547914f9e2b30739e3ef6c
Instruction ID: ec4409d0e23f1815ae0e9a109a8d1c68bdff59348f28f477a7c06adb04673e52
Opcode Fuzzy Hash: eef0a356b23e55d2308e20bed1a6a7dcd73da6f3f0547914f9e2b30739e3ef6c
Instruction Fuzzy Hash: E981E374A04201DFD716DF28C880AABB7F2EFD9714F19856DE5858B3A1DB31E841CB52

Function 0043D2F0 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

ihgf, xrefs: 0043D315

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ihgf
API String ID: 2994545307-2948842496
Opcode ID: 1de35141843d01284fbd49b4b94197a3011845f6d285c59de9b2ec666c4b6e9d
Instruction ID: 39294a001ccb7b60b57bd072fead094b817a0247c43ae1e4845dbb8435dacfda
Opcode Fuzzy Hash: 1de35141843d01284fbd49b4b94197a3011845f6d285c59de9b2ec666c4b6e9d
Instruction Fuzzy Hash: 5B81C274A04201AFD714CF28E881A6BB7F2FF99314F15A52DE5858B3A1DB35EC11CB46

Function 024973B2 Relevance: 1.5, Strings: 1, Instructions: 244COMMON

Download Yara Rule

Strings

gfff, xrefs: 02497559

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: de86720abe9662384bfc4389f4b275199587a53d7c35c6b33b3c21993df62823
Instruction ID: 3857215666f84e8390459b9bd9abf44e1a4e85b426ac560a58865be899005c0d
Opcode Fuzzy Hash: de86720abe9662384bfc4389f4b275199587a53d7c35c6b33b3c21993df62823
Instruction Fuzzy Hash: B671D2B17107414FD729CF39C85076ABBD2AB86314F18C57EC096CB7A6EA78E442CB40

Function 024AA637 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 024AA835

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 045a9a66e0ca56219c33e5b6367f29c7ce276d61e6951a7732c068842d72bae6
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: A871D432A083658BD7248E2CC4A032FBBF2ABD5754F19852EE4949B391D335DC46CB82

Function 0042A3D0 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042A5CE

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 4b2f630bb6a68757ad0504ce5be77257e5761d12b45ca5ba0373d51c8e5240e3
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 22710532B083259BD714CE28E88431BB7E2ABC5710F99852EEC948B391D379DC55878B

Function 00424502 Relevance: 1.5, Strings: 1, Instructions: 232COMMON

Download Yara Rule

Strings

DB, xrefs: 00424795

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: DB
API String ID: 0-3908451873
Opcode ID: 0ddf0731ddfeaa883e7311870e36d02f96856f6d12ce1652dd7f7008e8803fec
Instruction ID: 63fe74dcdf674bdd3faef37b2e0283437cd793175f1af46cf0498e51130e9ee1
Opcode Fuzzy Hash: 0ddf0731ddfeaa883e7311870e36d02f96856f6d12ce1652dd7f7008e8803fec
Instruction Fuzzy Hash: A381B67AF04225CBCB18CF64D8905AEB7B2FFDA710F59806AC841AB355DB349D42CB54

Function 00424A74 Relevance: 1.5, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

LB, xrefs: 00424CE6

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: LB
API String ID: 0-539997225
Opcode ID: d02495da20a3f8a7219353459d550f72d20704d827e4251e17801bf690faaf74
Instruction ID: 190c79d128488961cfb389f9b0ffad8fedd0031ada35975bf34f4c17adb32e46
Opcode Fuzzy Hash: d02495da20a3f8a7219353459d550f72d20704d827e4251e17801bf690faaf74
Instruction Fuzzy Hash: D1618E31B412228BDB18CF29E8A12FBFBE2EF91310B58466ED4574B3C1D7389941D799

Function 0249DFB7 Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

Y*>, xrefs: 0249DFBB

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: Y*>
API String ID: 0-3862480330
Opcode ID: 22b3804befe7f91e84aca949ffb80fce2ed22dd13d93b44656185de14de2ea60
Instruction ID: fb16322e453b7c659a8661eae6fdd911598fc5404158bfb078b4b9f78130c322
Opcode Fuzzy Hash: 22b3804befe7f91e84aca949ffb80fce2ed22dd13d93b44656185de14de2ea60
Instruction Fuzzy Hash: 7C512633B499914BEB2DC93C4C223AAAE834BD6134B2DD77BD8B1CB3E5D56588468740

Function 0041DD50 Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

Y*>, xrefs: 0041DD54

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: Y*>
API String ID: 0-3862480330
Opcode ID: 22b3804befe7f91e84aca949ffb80fce2ed22dd13d93b44656185de14de2ea60
Instruction ID: 90e50e1672eaf7fe8d97f2f09bdb4033b3ef25f85dbdb073c688402916a0328e
Opcode Fuzzy Hash: 22b3804befe7f91e84aca949ffb80fce2ed22dd13d93b44656185de14de2ea60
Instruction Fuzzy Hash: 4C510573F499814BD72C893C5C223EAAA834BD6234B2DD77BE4B2CB3E4D5698C464345

Function 024A8009 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

m, xrefs: 024A8047

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 41b4e45d489525032a7ff55d2696e510600e92b2c3d7551ddfae36ad8bd27945
Instruction ID: f53be0f73d4a47ab0116ceaf74d970fa49048ab4d533bbbccf5476e0c055a057
Opcode Fuzzy Hash: 41b4e45d489525032a7ff55d2696e510600e92b2c3d7551ddfae36ad8bd27945
Instruction Fuzzy Hash: 355126B19083908FD724DF2984A166FBBE2EFE1304F05892EE5D587351D739D909CB92

Function 024BA9DE Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

w, xrefs: 024BAAD0

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: w
API String ID: 0-2991200456
Opcode ID: 6ffcd2417d58e0d1efea5a9724b595c411f337b55a8ae22910b9b44be8581fce
Instruction ID: 93f77f600156081d49453e92a0e26cac2a14de1a0dcf10148a5ca4829222eb59
Opcode Fuzzy Hash: 6ffcd2417d58e0d1efea5a9724b595c411f337b55a8ae22910b9b44be8581fce
Instruction Fuzzy Hash: 8B4129B6E116218FD704DFA4CC845ABBB72FF84315B0AC1A8C8847B315D77869078BE0

Function 0043A777 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

w, xrefs: 0043A869

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: w
API String ID: 0-2991200456
Opcode ID: 6ffcd2417d58e0d1efea5a9724b595c411f337b55a8ae22910b9b44be8581fce
Instruction ID: 72f7098589d43736da4273b9d7e3299e197f10f25cbeea51759b9c2434ba13e7
Opcode Fuzzy Hash: 6ffcd2417d58e0d1efea5a9724b595c411f337b55a8ae22910b9b44be8581fce
Instruction Fuzzy Hash: 8E4119B6E116558FD704DFA4CC855ABBB72FB88315B1AC1A8C8847B319D77868078BD0

Function 024BCFC7 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

ihgf, xrefs: 024BCFEC

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ihgf
API String ID: 0-2948842496
Opcode ID: 2b213d4144a63b266ffc054ecdea8f1b716e225e094351901ee27163bfaa7a7b
Instruction ID: 1f53fd0d68990542ebf43f0cfbd40389b85a54fda75baf375d1a4998570fa572
Opcode Fuzzy Hash: 2b213d4144a63b266ffc054ecdea8f1b716e225e094351901ee27163bfaa7a7b
Instruction Fuzzy Hash: 03312630B04300EBE7118F249C80BBFBBA4DF8671CF28496DE68593390D721E852CE66

Function 024BD0F7 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

ihgf, xrefs: 024BD11C

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ihgf
API String ID: 0-2948842496
Opcode ID: ae411421d2ccc92dd1a2e9f178d6aa2591b1cae486c28fda228ff2e2e7e3843c
Instruction ID: eb1d7d0378c3962e13bb0c83517e7c9052d7ecb5741a8418096a831f3850064f
Opcode Fuzzy Hash: ae411421d2ccc92dd1a2e9f178d6aa2591b1cae486c28fda228ff2e2e7e3843c
Instruction Fuzzy Hash: 77310934B04341EBE7168B249C81BBBBBE5EF8A718F24457DE68457390D731E850CA76

Function 0043CE90 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

ihgf, xrefs: 0043CEB5

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ihgf
API String ID: 2994545307-2948842496
Opcode ID: eabeb2773ff9bbc58c6c2f5a50c7ebc9f6505f28b325af4d1c0bf5b4a04395ef
Instruction ID: 0aea9c019cfcbf9c29137c9c12aa4ed540cc4986b7a763f7409eb823f2adcf13
Opcode Fuzzy Hash: eabeb2773ff9bbc58c6c2f5a50c7ebc9f6505f28b325af4d1c0bf5b4a04395ef
Instruction Fuzzy Hash: 9831D474308300AFE7109B249CC1B3BF7A6EB8A718F24692EE584A72D1D665EC10875A

Function 024A6739 Relevance: 1.3, Strings: 1, Instructions: 8COMMON

Download Yara Rule

Strings

dB, xrefs: 024A6739

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID: dB
API String ID: 0-2104629891
Opcode ID: e3ed35eba93c559e2b640e4773887084713877586e1a61965fa59bb2e9adbcdb
Instruction ID: 88d28f4539103711ef6104adbc4c901a24cbbd6804f5379e7088d630b29811a1
Opcode Fuzzy Hash: e3ed35eba93c559e2b640e4773887084713877586e1a61965fa59bb2e9adbcdb
Instruction Fuzzy Hash: 5DA00129A9E6548AD2119F4494927F0F778E31770AF1438289904AB153D196E950864C

Function 004143C2 Relevance: .8, Instructions: 805COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7351b713fdd79e4b11a44c2f3e170ae42ed99a1303c69a2fe6fdb41bd9a8d7aa
Instruction ID: d6216dced0a3b9436857ee0068e0dff51503e5ecb223af83f8720e1cf69b390d
Opcode Fuzzy Hash: 7351b713fdd79e4b11a44c2f3e170ae42ed99a1303c69a2fe6fdb41bd9a8d7aa
Instruction Fuzzy Hash: F02242B56082009FE7149F24EC41B6B73A2FBDB300F55893EF6C487292DA799C41CB4A

Function 00416BA5 Relevance: .7, Instructions: 688COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a7678f017f308848797c1ab2fc33ccddf339249d7514e43f7e0819896a5eda0
Instruction ID: 9c79f7e63c480dd40f7a7ccc60d41b21814d9940eb0dc65dd07d8a453e372cf2
Opcode Fuzzy Hash: 5a7678f017f308848797c1ab2fc33ccddf339249d7514e43f7e0819896a5eda0
Instruction Fuzzy Hash: 16120E35204B018FD325CF29C8907A3BBE2EF9A314F19866DD4DA8B795D738E846CB54

Function 02483207 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cf22539860d374f1b5b70c1f2b7734314ec6e2843ab381a6f5f63b3db803864
Instruction ID: 7ef22f74320786e985984db4684891e33db06cf37ac3f1a4b90d4ae89cdd28e9
Opcode Fuzzy Hash: 2cf22539860d374f1b5b70c1f2b7734314ec6e2843ab381a6f5f63b3db803864
Instruction Fuzzy Hash: 8E52F3715183458FC715DF18C0906AEBFE1BF88B18F1986AEF8995B341D774E889CB81

Function 00402FA0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cf22539860d374f1b5b70c1f2b7734314ec6e2843ab381a6f5f63b3db803864
Instruction ID: b7901f3288d9e4572b9bc57ce4c79cacd886df45a950704f10474c7163005246
Opcode Fuzzy Hash: 2cf22539860d374f1b5b70c1f2b7734314ec6e2843ab381a6f5f63b3db803864
Instruction Fuzzy Hash: CE52F4715083458FCB14CF18C0806AABFE1BF89315F18867EF8996B391D778EA49CB85

Function 02486947 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f260d4ba8b532cff43b70e0305cc444787dac05339277c8b44483d328b2ca1f5
Instruction ID: 1f2acf7be47b03e23fd54eba74ebe2fbb865082f0c63473d8b1e041d753d5fe4
Opcode Fuzzy Hash: f260d4ba8b532cff43b70e0305cc444787dac05339277c8b44483d328b2ca1f5
Instruction Fuzzy Hash: 5852E570A18B848FE771EB24C4943ABFBE1EB41314F15492FD5EA06BC2D379A485CB16

Function 004066E0 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b0d0db576f8f4a099c36225a03624d7682871d61e803cbbd0c0fa625a463efe
Instruction ID: f9402e00db0146810cf529bce4eeb96ef771652ee20e7226bad8efb3fef3d353
Opcode Fuzzy Hash: 7b0d0db576f8f4a099c36225a03624d7682871d61e803cbbd0c0fa625a463efe
Instruction Fuzzy Hash: DA52C7B0A08B848FE735CB24C4843A7BBE1AB51314F15893FD5E716BC2C27DA995C71A

Function 0249F347 Relevance: .6, Instructions: 640COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 384453c34c44fa10a221719aff1fe9f2af50c5f2060accd689493d508a0f7137
Instruction ID: 379f34030245abb869f7841496477135af09ff579d289cec90ed8b53ab3637d5
Opcode Fuzzy Hash: 384453c34c44fa10a221719aff1fe9f2af50c5f2060accd689493d508a0f7137
Instruction Fuzzy Hash: 87625CB0608B818ED325CF3C8855797BFE5AB5A314F048A5DE0EE873D2C7B96405CB66

Function 0041F0E0 Relevance: .6, Instructions: 640COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 384453c34c44fa10a221719aff1fe9f2af50c5f2060accd689493d508a0f7137
Instruction ID: d272bb6b5d6e2c7a5f0cafe8b1d1f27913d4ef5c9ad92f98558892845c7f91e7
Opcode Fuzzy Hash: 384453c34c44fa10a221719aff1fe9f2af50c5f2060accd689493d508a0f7137
Instruction Fuzzy Hash: B5625CB0608B818ED325CF3C8855797BFE5AB5A314F048A5DE0EE873D2C7B96405CB66

Function 02483C27 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 678ad88440436fc2347c77ec1617077ed1d00620730d0d2d7e6321ebe71b5d32
Instruction ID: 939b1bda7137b1d84d7c2f62d406c41550934713dde7fc45adb5931d91826267
Opcode Fuzzy Hash: 678ad88440436fc2347c77ec1617077ed1d00620730d0d2d7e6321ebe71b5d32
Instruction Fuzzy Hash: 85322471524B118FC378EF29C69052ABBF1BF45A10B504A6ED6A78BF90D736F885CB10

Function 02487717 Relevance: .6, Instructions: 595COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d94ed56ffcdc38c94b90bd9783928bf4a55e001c4d3c4371622baab0c0238d3b
Instruction ID: 8144078db26368c744c360e93e32fc00ce9f8f0de831ebeb02b125b62bc0a424
Opcode Fuzzy Hash: d94ed56ffcdc38c94b90bd9783928bf4a55e001c4d3c4371622baab0c0238d3b
Instruction Fuzzy Hash: B802C7366187518BD724EF18D89067FF3E2EFC4309F29892EC98697385E734A545CB42

Function 004074B0 Relevance: .6, Instructions: 595COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d94ed56ffcdc38c94b90bd9783928bf4a55e001c4d3c4371622baab0c0238d3b
Instruction ID: 1131e2afb1b9b7a06d06e0851762e967182e12a53f43e8bd2da4f6050e1e8ff1
Opcode Fuzzy Hash: d94ed56ffcdc38c94b90bd9783928bf4a55e001c4d3c4371622baab0c0238d3b
Instruction Fuzzy Hash: C802C732A0C7118BC724DE18D8816ABB3E2EBD4345F19893ED586A73C5D738B815CB4B

Function 004180A9 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b9cd94a92c7e0d93f0c1db0f6149aa8383bb4963fce823e7fd41077e0e8b1306
Instruction ID: 6564eefc0a79269b3db00a3a3e2fdb8cf1d61b2510fe7412d98733e2447c0821
Opcode Fuzzy Hash: b9cd94a92c7e0d93f0c1db0f6149aa8383bb4963fce823e7fd41077e0e8b1306
Instruction Fuzzy Hash: 6CC128342047418FD7258F28C890AA7BBE1FF9B310F58896ED4D6477A2CB75E846CB58

Function 0043C280 Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd1dd3bcd13b84c911ff83a91c1cc82912ef431115ec00b7fd8cedab479074d
Instruction ID: 2610ce8d2ada8b42ce1f8a49459609e4fff09a6b757421d9f45879ca41997f09
Opcode Fuzzy Hash: 7dd1dd3bcd13b84c911ff83a91c1cc82912ef431115ec00b7fd8cedab479074d
Instruction Fuzzy Hash: A8D10E36A187508FC704CF28D8D162AB7E2BBCE314F09897DE98687396D738D905CB46

Function 0043C1F0 Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d103255a358cbf0f4493334fed60bd47c6ce4713af475a6909a9917db2fa4dc
Instruction ID: b593eabd3734573ca464a0f0c89662c3852b345cc910da406a972fedca83911a
Opcode Fuzzy Hash: 3d103255a358cbf0f4493334fed60bd47c6ce4713af475a6909a9917db2fa4dc
Instruction Fuzzy Hash: CDC1ED3AA18611CFC704CF28D8D066AB7E2FB8E315F19887DE98687352D738D945CB46

Function 02485C57 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f2680bab9b6854d00e0753734e73372bb980c2eb61b62fe20cb4c3e0bac24b1
Instruction ID: 87b3f835fa5bd3ce3770cbf32822303de73faf0344c427b6f8872b90041194a1
Opcode Fuzzy Hash: 9f2680bab9b6854d00e0753734e73372bb980c2eb61b62fe20cb4c3e0bac24b1
Instruction Fuzzy Hash: EBE18A311083458FC321EF29C880A2BFBE5EF99204F44892EE5D987752E335E948CB96

Function 004059F0 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e3d702f462c947c04f76d2767d49a70cc8d8a13f72f5fef100d598c3194e41d
Instruction ID: 93b8c5387be001e94cab0129f885dbabef0bc68014b552001e05b684e15851e5
Opcode Fuzzy Hash: 2e3d702f462c947c04f76d2767d49a70cc8d8a13f72f5fef100d598c3194e41d
Instruction Fuzzy Hash: 48E19A712087418FD720DF29C880A6BBBE1EF99304F44882EE4D597792E379E944CB96

Function 004166A0 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f471f3d39aca677c1a2c39babe6ca4d167e6e7ed24f73cd0afd5c860e5d8b012
Instruction ID: 32691a19542b475e5b32abf01bf61a59727b98503660fe5e1cf9ea7214f750c2
Opcode Fuzzy Hash: f471f3d39aca677c1a2c39babe6ca4d167e6e7ed24f73cd0afd5c860e5d8b012
Instruction Fuzzy Hash: FBC1CEB4600302CFD7248F25C8917A2BBB1FF46314F1986ADD4964F792E778E885CB95

Function 00428BC0 Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 388e2b6d0a182aa95bd5de263f76d1b454a1f9af5a69695319d1fde35becd882
Instruction ID: f9929a72ce68a40c3f81f5f1acad1d241ce5af9a0f8176ac8c595b8a2b44423d
Opcode Fuzzy Hash: 388e2b6d0a182aa95bd5de263f76d1b454a1f9af5a69695319d1fde35becd882
Instruction Fuzzy Hash: EDD15535B05255CFDB14CFB8E8816AEBBB2AF1A300F58417DE551A7392CB388E05CB59

Function 02499541 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a6ff38b7f88a38b39f0feb0216d1201f336bfe1d4496b7dedc26c113c3b1706
Instruction ID: d5cd215c1b13ba096a7edb23500220196433edaf6f6a9a1475f9fa8c711fd96c
Opcode Fuzzy Hash: 0a6ff38b7f88a38b39f0feb0216d1201f336bfe1d4496b7dedc26c113c3b1706
Instruction Fuzzy Hash: 25A15971211740CFD729CF29C861A777BF2EF86314719869DD4A28F7A5EB38A801CB50

Function 004192DA Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07b520a97f650d78ec3e4206198fbb7b152170e0c1bb9b71eb1cf8cd26d43cec
Instruction ID: c7afa36b394fec79d3864c076b52a9d2828a05187d2106694a5d2b7072183649
Opcode Fuzzy Hash: 07b520a97f650d78ec3e4206198fbb7b152170e0c1bb9b71eb1cf8cd26d43cec
Instruction Fuzzy Hash: 30A11571205701CFD329CF28C4A19A777E2FF8A310719869DD4A68B3A5EB38AC41CB54

Function 02489967 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8522f48c061d96a90bcbb954765979172c44a155916e8e09891f3aefe40ca7a
Instruction ID: 5afb1460680354047d935c25dbd2acdec0722937b9f4673cbcad6947d0f24301
Opcode Fuzzy Hash: d8522f48c061d96a90bcbb954765979172c44a155916e8e09891f3aefe40ca7a
Instruction Fuzzy Hash: ADC1F1B16183808BD318DF25C850ABFBBE6EFD2308F14492DE5D68B391DB75850ACB56

Function 00409700 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff3731471c5a2191c5a05658faba6c42204445524e7f8331b46cc9c8e8b982bc
Instruction ID: 2e87a28a76dba4f31cae47dba0fb7e22e1a8f98f0dc0d4366023ba0889080103
Opcode Fuzzy Hash: ff3731471c5a2191c5a05658faba6c42204445524e7f8331b46cc9c8e8b982bc
Instruction Fuzzy Hash: 35C105716083808BD318DF35C85066BBBE6EBD2314F14893DE4D697392DB39C90ACB56

Function 00414070 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eec315c10c9a67952a9793dbef498c3585f4719540dfb14f25a11beae5eb4f2
Instruction ID: 3a875cd6648c61770c451858fbf1e99b01c2ef70bfb09da3693ab00193ad4cb1
Opcode Fuzzy Hash: 5eec315c10c9a67952a9793dbef498c3585f4719540dfb14f25a11beae5eb4f2
Instruction Fuzzy Hash: 478134B15143048BC728DF24D8A26B7B3F0EF95354F08892EE98687391F738D989C766

Function 0249D847 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d343a94ccc60b0ac76136acfacaf03ec9124c15c7c37e786dc5ab8e490f6e03
Instruction ID: 0c100f2d4de115c9ded8dd2cfb0a6a23680a0c9a74b9ca201eb025d84a464506
Opcode Fuzzy Hash: 7d343a94ccc60b0ac76136acfacaf03ec9124c15c7c37e786dc5ab8e490f6e03
Instruction Fuzzy Hash: 8FB1F775904201EFDB25AF24CC41B2ABBE2BFD5324F054A3EF8D8A72A0D7369915DB41

Function 0041D5E0 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf664f652a807fb332ea88b5576aae59d3ab4033112652d5c76049a14ce75c6
Instruction ID: 4462778536881e7fad7e7429092b9e4e0939b3ac367c8c146f109192ca963606
Opcode Fuzzy Hash: 6cf664f652a807fb332ea88b5576aae59d3ab4033112652d5c76049a14ce75c6
Instruction Fuzzy Hash: 22B1E4B5D04301AFD7109F24CC42B5BBBE1ABD5318F144A3EF8D8A32A1D7399945DB8A

Function 024B5AF7 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34b9a0d7ad4e2640ff3c38ec8b4415170da73e2657f5b2be8b12e8c2df11fb82
Instruction ID: 2ffce5f4b4a7fa93f6d8685f9bb1eeb9f3092d4439e2c3050df267a235513741
Opcode Fuzzy Hash: 34b9a0d7ad4e2640ff3c38ec8b4415170da73e2657f5b2be8b12e8c2df11fb82
Instruction Fuzzy Hash: 67B10772E086918FC716CB7CCC816AAFFB25F96220B4DC399D4A5DB3D6C6259802C771

Function 00435890 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34b9a0d7ad4e2640ff3c38ec8b4415170da73e2657f5b2be8b12e8c2df11fb82
Instruction ID: 82f263c77167ee55bcd91cd3b2c817a9180a54af617eadf61d99f91933eb0c98
Opcode Fuzzy Hash: 34b9a0d7ad4e2640ff3c38ec8b4415170da73e2657f5b2be8b12e8c2df11fb82
Instruction Fuzzy Hash: 28B15B72E04B918FC715CA7CCC8169ABFB25B9B230F1DC399D4A5DB3D6C63998028761

Function 024864B7 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1afe4e88f9b97e7e8e8fd3cb907a0d95dd7110aea04d164d9c56f244693baaf
Instruction ID: b2988e813993c47ff3f8bbba18ac10b03bf960780b9256612b22f6566fb030fc
Opcode Fuzzy Hash: a1afe4e88f9b97e7e8e8fd3cb907a0d95dd7110aea04d164d9c56f244693baaf
Instruction Fuzzy Hash: 4BC16CB2A187418FC360DF68CC86BABB7E1BF85318F09492DD1D9C6342E778A155CB06

Function 00406250 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1afe4e88f9b97e7e8e8fd3cb907a0d95dd7110aea04d164d9c56f244693baaf
Instruction ID: 6c2276beaf566b9a9bdc1ff0447d0761e6db3ed1e3725ba86175889a0c87908a
Opcode Fuzzy Hash: a1afe4e88f9b97e7e8e8fd3cb907a0d95dd7110aea04d164d9c56f244693baaf
Instruction Fuzzy Hash: D5C16CB29087418FC360CF28DC96BABB7E1BF85318F09493DD1DAD6242D778A155CB0A

Function 004082AE Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b60e4508a8573308057a18d506d0e04534aaf532080dedfe112986a424425a5f
Instruction ID: 9bc7db52ed85e8ce12a1b60bd9a2e1d492efdcd6eda8f0880cc64574571f8d9a
Opcode Fuzzy Hash: b60e4508a8573308057a18d506d0e04534aaf532080dedfe112986a424425a5f
Instruction Fuzzy Hash: C8911D31A087415BC7188E29DDD026EBBD3ABD1320F1D8A3EE8E5273D5DB3C59058B85

Function 02497BA7 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82812cdeafcd33f0fc968029d79aa7a24ca844b7ad5e98367da50fc895b2220f
Instruction ID: 37670ad763e9432da03cbed8179aa3cb8d30f97b8a687b10ed2913b1bee89d7e
Opcode Fuzzy Hash: 82812cdeafcd33f0fc968029d79aa7a24ca844b7ad5e98367da50fc895b2220f
Instruction Fuzzy Hash: A571D8B42246009FDB658F28C9C0A7BFBA2EFD7714B29962DD196477A1C731E852CB04

Function 024B9107 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 908f5c4351c674361b7bf87d10fb2e8a93db02d5169a9e62b5518be8655f3495
Instruction ID: de93ff7c789e8ae12f3da9f9271a760ef48fb05d6271011cbfa1abd641f978d0
Opcode Fuzzy Hash: 908f5c4351c674361b7bf87d10fb2e8a93db02d5169a9e62b5518be8655f3495
Instruction Fuzzy Hash: 87516776A082404BE719DB29CC50BBFB7D2EF85714F19893ED6C2973D0DB3198018B66

Function 00438EA0 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e58758c0c99ce53ee986e1c274d2b7879ae1e66bef164fde616ad3cbe13cbd39
Instruction ID: 96e128fd99fbf524e2f3ef55e43501592b1a8fdc9f4199c5c04fa81f22471a0d
Opcode Fuzzy Hash: e58758c0c99ce53ee986e1c274d2b7879ae1e66bef164fde616ad3cbe13cbd39
Instruction Fuzzy Hash: 96517276A083404FE718DA29CC51B2BB7E3EBD9314F19953EE5C297381DA799C01838A

Function 024BD7E7 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b458a4b395c5c8ee69f5f2b006b0e563729d6c6f05da1ba1057fcc05e7f9fb9b
Instruction ID: fe9d5ccd016fa72b61f29e3ed14a7acdbf69d4f219ddcb7ae9a878229e7773e5
Opcode Fuzzy Hash: b458a4b395c5c8ee69f5f2b006b0e563729d6c6f05da1ba1057fcc05e7f9fb9b
Instruction Fuzzy Hash: 6C812571A08311DFC7658F18C880AAFB7E2EF89714F18856DE99587364D731EC51CBA2

Function 0043D580 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4e8deb904bd57a38d5db16f622e75ca6e8515c759adf41183e1257d8dc022a60
Instruction ID: 64328250301a943c4221b3aea1d0af6b203cdad55f8ce28cbce5e8ab6c8a38f2
Opcode Fuzzy Hash: 4e8deb904bd57a38d5db16f622e75ca6e8515c759adf41183e1257d8dc022a60
Instruction Fuzzy Hash: 1D812035A08310AFC7248F18D881A6FB7E2EF89314F14992DF9958B391DB35EC51CB86

Function 0249DC47 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 878cf165e9656de38300a8645f53e9724a1b6a64a083f1f7d23b351aa812f187
Instruction ID: 21afea86dd41f5a60892e9eeef04f3610775b54f4d7209a0a72b3f83f5cee9db
Opcode Fuzzy Hash: 878cf165e9656de38300a8645f53e9724a1b6a64a083f1f7d23b351aa812f187
Instruction Fuzzy Hash: D2710733B499918BEB2C993C8C213A67E930BE7234F2DC7BAE5F5873E5D56548068340

Function 0041D9E0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 878cf165e9656de38300a8645f53e9724a1b6a64a083f1f7d23b351aa812f187
Instruction ID: c9f1a56c5cc6f557c9c63b1b84e3a6a9080bfa3b27e02a379f5ce7dab310694a
Opcode Fuzzy Hash: 878cf165e9656de38300a8645f53e9724a1b6a64a083f1f7d23b351aa812f187
Instruction Fuzzy Hash: 75711673B499904BE328893C4C213AB6A830FD6230F2DC77AE5B68B3E5D5698C468345

Function 024B9607 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f966890577f15959edc4de71345d5fecb794fae90f6da87e8e32d5ae83de50
Instruction ID: de36ed804c9ab8e182757829c74c068bd5bee5c09c245c0698b6f156c0314ed5
Opcode Fuzzy Hash: d2f966890577f15959edc4de71345d5fecb794fae90f6da87e8e32d5ae83de50
Instruction Fuzzy Hash: 45613836B247105BD719CE29CC806ABB7D3AFC9720F19863DDA95877E0DB7498018B91

Function 004393A0 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2defeb47ced1666dcc5d40c491d5d47036e27bb510cd2a5827aa3a977f25a96
Instruction ID: e0a57f83dc16a7a8da3cda248db75e741f620206b22b691e391221bf57496f6d
Opcode Fuzzy Hash: e2defeb47ced1666dcc5d40c491d5d47036e27bb510cd2a5827aa3a977f25a96
Instruction Fuzzy Hash: B8616837B193105BD718CE69CC9066BB7D2ABCD320F09922EE995833D1CAB88C02C385

Function 024AF397 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c0d2c5577102dd58fbede460a656b1f00c5f7fe775d6732456b41350824bdc2
Instruction ID: 1408933fbbe84fdaee51728edd8a0a9990c55600a6fb0c74fcf72de1f47a3812
Opcode Fuzzy Hash: 3c0d2c5577102dd58fbede460a656b1f00c5f7fe775d6732456b41350824bdc2
Instruction Fuzzy Hash: D3710927A49AD04BD328893C4C713A67A930BE6230F5EC76EE9F5477E6C566484B8341

Function 0042F130 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c0d2c5577102dd58fbede460a656b1f00c5f7fe775d6732456b41350824bdc2
Instruction ID: 93e46a8bd3da194c47575791ec0c02f08c3a6f4472264f5d459ff5c5938f4a7b
Opcode Fuzzy Hash: 3c0d2c5577102dd58fbede460a656b1f00c5f7fe775d6732456b41350824bdc2
Instruction Fuzzy Hash: BF712827B49AA04BD318893C5C612A66AA30FD2330FEDC77FE9F1473D5D5694C0A8359

Function 024BD307 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64b1c9c5f56f139aa65c1abfed3263135776d97135dd74b25c5f35881b33ae15
Instruction ID: e9499fd3b35013bfdfb2780bda0080a17286a84238018dd27a933cf31434c33b
Opcode Fuzzy Hash: 64b1c9c5f56f139aa65c1abfed3263135776d97135dd74b25c5f35881b33ae15
Instruction Fuzzy Hash: EA516831B083009FD7259F18C881AAFB7E2EFDA314F25847DE68547365EB70A851CB62

Function 0043D0A0 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0e87dfdf556a0c711327e89229684132eea6e28a06d28a898aa22cd66f13d778
Instruction ID: c6b6bb5faf057b6a68f3e5ff18d61b6d7d9c128f7451342645401fa614298587
Opcode Fuzzy Hash: 0e87dfdf556a0c711327e89229684132eea6e28a06d28a898aa22cd66f13d778
Instruction Fuzzy Hash: F3514831A083009FD7249F18E881A2BB7E2EFDD310F25A93DE58547351EA75DC51C74A

Function 024A9611 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0d35eb954a9d187377820dd095db1c7b0c4961e6edb85d2e315a33cbd56d54
Instruction ID: bf71085df876661d669e25b96e9608b415941faa1fc0635b681d23639470b28b
Opcode Fuzzy Hash: 2c0d35eb954a9d187377820dd095db1c7b0c4961e6edb85d2e315a33cbd56d54
Instruction Fuzzy Hash: 8D71AE71D043699FEB25CFA9CD817DEBBB2FB80310F18816DD459AB289DB7419468B80

Function 004293AA Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0d35eb954a9d187377820dd095db1c7b0c4961e6edb85d2e315a33cbd56d54
Instruction ID: bd453bbf85e71c37a0fde588b6316f789c56ba706437bc4c9fe4a45325bf71d6
Opcode Fuzzy Hash: 2c0d35eb954a9d187377820dd095db1c7b0c4961e6edb85d2e315a33cbd56d54
Instruction Fuzzy Hash: 6771AF72D043689FEB25CFA9CD817DDBBB2FB80310F18816DD459AB289DB741946CB84

Function 0249EC17 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a16964f98263bb64d29cf427ecac629650e46b659aa8a65445bff108377c5da2
Instruction ID: 6cb3b834ed862b087e9e28c07d79473c022ed2728f786756f0f96cf7d45154bd
Opcode Fuzzy Hash: a16964f98263bb64d29cf427ecac629650e46b659aa8a65445bff108377c5da2
Instruction Fuzzy Hash: 78612B356083914FCB26CF29C85092F7FE16F96214F4886AFE8E487392D775D805D792

Function 0041E9B0 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5837d196803c6c41b2f90e1b684db958f269ba1b84df2d7f51245b5afb20183d
Instruction ID: 005a84f34606d807ef7803f473bdaa3d6e6b3e5a6c55ca812da06d8011db77a6
Opcode Fuzzy Hash: 5837d196803c6c41b2f90e1b684db958f269ba1b84df2d7f51245b5afb20183d
Instruction Fuzzy Hash: 19613839A0C3914FC325CF39C88095B7BE16F96314F4881AEECA54B392D639EC45D796

Function 004369A0 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9beccb418eb2a315fce9c1fee449ff7612de2d6f2e7ef11585c31999dd8e919
Instruction ID: 79698480e789f394c927d8fe7c13ac859d6e499323d4242f8a9ce8e9df0e27f7
Opcode Fuzzy Hash: a9beccb418eb2a315fce9c1fee449ff7612de2d6f2e7ef11585c31999dd8e919
Instruction Fuzzy Hash: 75516875608301ABD310AF65DC81B2BB7E5EB9A704F16A83EF58197281D7B8DC00DB96

Function 024A4CF4 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 397dd7719a72b64fe6fd9bff4a2b0e0990fccc0e48aff55cf7b07deb802e575f
Instruction ID: 34fc39c466705ff769e93c7ae6fe5eeb92f6a91a083b29c035cf0869ff73fd15
Opcode Fuzzy Hash: 397dd7719a72b64fe6fd9bff4a2b0e0990fccc0e48aff55cf7b07deb802e575f
Instruction Fuzzy Hash: 3F516A71A012428BEB28CE28C8B16BFFBE2EF74314B18866ED5975B7C1D7749541C781

Function 024B5897 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a456be5166b92ab10874784492d9a7357f7a85283333ec6aeb1257d6c9849aa
Instruction ID: 83bb6f2b74b56125fd2ec8cb28b8c9b50ee4c88551857cd8b60b24245b9ddf35
Opcode Fuzzy Hash: 9a456be5166b92ab10874784492d9a7357f7a85283333ec6aeb1257d6c9849aa
Instruction Fuzzy Hash: 755139B15087548FE314DF29D89435BBBE1BB88318F444E2EE4E987350E379D6088F92

Function 00435630 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a456be5166b92ab10874784492d9a7357f7a85283333ec6aeb1257d6c9849aa
Instruction ID: c2a6bcafcd54fac281a485024f5f1ed9cd6e16fab59c4b6ddada49184fd56f0c
Opcode Fuzzy Hash: 9a456be5166b92ab10874784492d9a7357f7a85283333ec6aeb1257d6c9849aa
Instruction Fuzzy Hash: AB516BB15087548FE314DF29D49435BBBE1BBC8318F444A2EE4E987351E379DA088F86

Function 02496907 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 896f3fb295f70a3d1d2d868c2c2a0e71ef34daf535ef3f76e5866041dfd6add5
Instruction ID: 060622529dd8de80e2cc9ab115a6c66add3c6f165184b2fed495c3bfd34f4d67
Opcode Fuzzy Hash: 896f3fb295f70a3d1d2d868c2c2a0e71ef34daf535ef3f76e5866041dfd6add5
Instruction Fuzzy Hash: CE6169B16003068FE728CF65D891256FBA1FF46300F1996ADC0998F752E778E9C1CB95

Function 024B1157 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7e211e6c2eb9e6b08159abb43e9af5e1aa1d9e93aa804f146ff2ed9fa703b0b
Instruction ID: d16ddec15bf8a07411d98d344096ee88f460100ebd815a9f2eed39f81e8c53fa
Opcode Fuzzy Hash: c7e211e6c2eb9e6b08159abb43e9af5e1aa1d9e93aa804f146ff2ed9fa703b0b
Instruction Fuzzy Hash: 91513433A599904BE72A853C5C713EA7AC30FD6230B2DD77BE5B9CB3E1D15988068360

Function 00430EF0 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7e211e6c2eb9e6b08159abb43e9af5e1aa1d9e93aa804f146ff2ed9fa703b0b
Instruction ID: d7cad542098786fb583f31be900ecfd8ec374eacf30312457ad000f908a343a7
Opcode Fuzzy Hash: c7e211e6c2eb9e6b08159abb43e9af5e1aa1d9e93aa804f146ff2ed9fa703b0b
Instruction Fuzzy Hash: 46512433A5A9D04BD32C853C4C623A66AD30BDA330F2DA77BE5B1CB3E1C56D88064355

Function 024AD7E5 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d0a7076ca4a073ae36702b2f035087ecf70489209c947b4e4cdcb3c897cb6e
Instruction ID: 0ca0a613047e6d51947b2ea5fdf20eb428409d5c254390a2e2b1c8ca743a8cdf
Opcode Fuzzy Hash: 20d0a7076ca4a073ae36702b2f035087ecf70489209c947b4e4cdcb3c897cb6e
Instruction Fuzzy Hash: 2651B673B569004BC71CC93DCDA166AA6D3ABD923076E873DD476C77D8EE78E8028600

Function 0042D57E Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d0a7076ca4a073ae36702b2f035087ecf70489209c947b4e4cdcb3c897cb6e
Instruction ID: 3e54edccfae4d99a9dc067fb7438e7a0f7318be64c596df77be4d10cba28c441
Opcode Fuzzy Hash: 20d0a7076ca4a073ae36702b2f035087ecf70489209c947b4e4cdcb3c897cb6e
Instruction Fuzzy Hash: E651A173B569104BC71CC93C9DA166AA6D3ABD933076E873DD476CB7D4EE78E8028600

Function 024BB2CF Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80662d8b24bff6f8992e634c1a49b92d2c70a6d1023e3f7c4dc80169a6ede74d
Instruction ID: ec09d8d07feab70f4bdf22fcfdb904cc3c4892d8365caa6c3d849920257edd3e
Opcode Fuzzy Hash: 80662d8b24bff6f8992e634c1a49b92d2c70a6d1023e3f7c4dc80169a6ede74d
Instruction Fuzzy Hash: 29415776E587148FC329EF64D8C06BBB3A2EFDA318F1E953D89D61B354DAB04D018249

Function 0043B068 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80662d8b24bff6f8992e634c1a49b92d2c70a6d1023e3f7c4dc80169a6ede74d
Instruction ID: f3345cb18c34d22cea7c76b8972ea9c026089d6dd7aab1ac627898e589a0e88a
Opcode Fuzzy Hash: 80662d8b24bff6f8992e634c1a49b92d2c70a6d1023e3f7c4dc80169a6ede74d
Instruction Fuzzy Hash: 0E416676A687148FC328DF64DCC427BB2A2EBDA310F1E952D8AE61B354DB644D018689

Function 024AB0AF Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2cbd620310961616688d7e42db6707dedebd0210a3dd93db7e64ebc8315cc7a
Instruction ID: 18739143fc2bfdd9b27d4ece1bca2e3bc02b1a705655674dfedca087045c6feb
Opcode Fuzzy Hash: a2cbd620310961616688d7e42db6707dedebd0210a3dd93db7e64ebc8315cc7a
Instruction Fuzzy Hash: 1841A1A01083D18AD7368F2980607BBBBE1EFA325DF1849AEC2D5A7683D7754007C759

Function 0042AE48 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2cbd620310961616688d7e42db6707dedebd0210a3dd93db7e64ebc8315cc7a
Instruction ID: 6458c2a36ad1cb1d3c56fad7511fb74c051b1bd8ee895f970e959f4703a01e69
Opcode Fuzzy Hash: a2cbd620310961616688d7e42db6707dedebd0210a3dd93db7e64ebc8315cc7a
Instruction Fuzzy Hash: 404117A02083D18BD7358F3990607B7BFD19FA3219F5948ADC6C597283D7784007C71A

Function 0248CB7E Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 464c79d7ef81001f4e361af6555152b884662c27da4a39cdc900ccd1ec23a395
Instruction ID: 1886ef0e2a34783752b0448fe39cebd73ef78dac866104b07dd169c35a0afa04
Opcode Fuzzy Hash: 464c79d7ef81001f4e361af6555152b884662c27da4a39cdc900ccd1ec23a395
Instruction Fuzzy Hash: E551577951C3408BD328DF24D880A6BB7F2EFC6304F18995CF986AB3A5DB309906C756

Function 0040C917 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 464c79d7ef81001f4e361af6555152b884662c27da4a39cdc900ccd1ec23a395
Instruction ID: f0dfe561e574c5b04bf144357c30d0d8e3624fae8d6a5d5d31a0a28d0469a5e5
Opcode Fuzzy Hash: 464c79d7ef81001f4e361af6555152b884662c27da4a39cdc900ccd1ec23a395
Instruction Fuzzy Hash: A4515A7551C3408FD324CF24D880A6BB7F2EFC6304F14996CF886A7291D7349906CB4A

Function 02495F79 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afec766a8f46cebfa70309c7c12ba714155290e18f5d997497038f4e7e1a0749
Instruction ID: a53d6d527b8eca4361064ca06ae8b9aadd675c236848c3e24e7c3388c99ba615
Opcode Fuzzy Hash: afec766a8f46cebfa70309c7c12ba714155290e18f5d997497038f4e7e1a0749
Instruction Fuzzy Hash: FD4145B1A002418BDB258F39CC917737BE2EF92318F28856ED492CBBA5E7399441CB10

Function 0248C0E8 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aff5b575bdc1cbf128a6fcaf21673d610ba054c2e19d9dceb1adbeeb882f19a
Instruction ID: b41d1344dea177b86e3632ad74414e96ff8f6566370b896284136c93e0be55b6
Opcode Fuzzy Hash: 0aff5b575bdc1cbf128a6fcaf21673d610ba054c2e19d9dceb1adbeeb882f19a
Instruction Fuzzy Hash: A8418A752183808FD7299B24CCD67BB77E0EF96704F18946EE4C2CB292E7254903CB1A

Function 024AB08B Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 305eeb4800ffca951eb0843350452d0362ef6350398f3d1306d62d3ed5eba46d
Instruction ID: 47f10220abf95029be2718c47a7771dfc95221f9e3f2688b976712ae3ca565f8
Opcode Fuzzy Hash: 305eeb4800ffca951eb0843350452d0362ef6350398f3d1306d62d3ed5eba46d
Instruction Fuzzy Hash: 414180A010C3D18AD7268B3490607BBBBD0EBA325DF14599DC2D6A7683D7354007CB5A

Function 0042AE24 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 305eeb4800ffca951eb0843350452d0362ef6350398f3d1306d62d3ed5eba46d
Instruction ID: df0643d0793dd6d859baae3aaafaf1000bf3a96435c36713bdd1cf9414b21aca
Opcode Fuzzy Hash: 305eeb4800ffca951eb0843350452d0362ef6350398f3d1306d62d3ed5eba46d
Instruction Fuzzy Hash: BE41B4A021C3D18BD7358B34A0607BBBBD09F93219F54599DC6D6A7283D7394407CB5E

Function 024BB2C2 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3442938981b70338c85b6fdcef42b4b1049c4e4fc606aed39a4a87bba456e78
Instruction ID: 6ed591942ba998c6ce51055b20a68ceb9198711a58efa29eb6963cf65e98dbca
Opcode Fuzzy Hash: b3442938981b70338c85b6fdcef42b4b1049c4e4fc606aed39a4a87bba456e78
Instruction Fuzzy Hash: EA418A75A587148FC226AF54DCC06BBB3A2EF86328F1E452DCAE517350E7A08C008664

Function 0043C020 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e9279ef52f96599ba60b9f495eba6a2778b73f1ce77f20ed8f4ad1faa0dcde
Instruction ID: bdc763d3058119611c7ecd8a8528ac1cd9b09ae5f9eb0b7e174c524916cf2ae7
Opcode Fuzzy Hash: e4e9279ef52f96599ba60b9f495eba6a2778b73f1ce77f20ed8f4ad1faa0dcde
Instruction Fuzzy Hash: 6A41F33A308610CFCB08CF78E9E055A73A2FBCB315F29847DD54547622C775A956CB44

Function 024BB2C4 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aeefbf0a4d65d0b572efcb3e51add84d891666070d970ea2441e25f135985dc
Instruction ID: fb576ce599db0631ab191e0336a94bed2d19237e11b0758f1b19b2b1d830c6fb
Opcode Fuzzy Hash: 3aeefbf0a4d65d0b572efcb3e51add84d891666070d970ea2441e25f135985dc
Instruction Fuzzy Hash: EE317775A587148FC329EFA8E8C05BBB3A1FF8B318F1E952D89E50B350D7B08D018659

Function 0043B05D Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aeefbf0a4d65d0b572efcb3e51add84d891666070d970ea2441e25f135985dc
Instruction ID: 78121dedb2d80148adf018004532891c25ca3ce7b5d6c479fa077a4fb261e508
Opcode Fuzzy Hash: 3aeefbf0a4d65d0b572efcb3e51add84d891666070d970ea2441e25f135985dc
Instruction Fuzzy Hash: 5C316879A587188FC328EF54E8C427BB3B0EB8B310F2E952D8AE51B350D7648D01878D

Function 024A60F7 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7540190068c50c970c78dd1fb816c39bd2abd836d4de7d463699aecd841a6eb
Instruction ID: 6ab4f39ae6a28cada1ecd310b6611a691ab71650486836608bc6e6ac25e875a1
Opcode Fuzzy Hash: a7540190068c50c970c78dd1fb816c39bd2abd836d4de7d463699aecd841a6eb
Instruction Fuzzy Hash: 7441BFB26183908BC734CF24C85179FBAF6EBD1214F498E2CD4CAAB341E73589058B87

Function 024AB05B Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184c9a32383a48190f2719d2aadad879d32520f34a2a0851a9020504aa8db94d
Instruction ID: c5b0531d72c6fe838cefefc8e6f217bbf2851e96bfb4e7688a66f85af5296362
Opcode Fuzzy Hash: 184c9a32383a48190f2719d2aadad879d32520f34a2a0851a9020504aa8db94d
Instruction Fuzzy Hash: 9B3171A01083D18ADB358F259020BFBBBE0EFA325DF14899EC2D5A7683D7344047CB5A

Function 024AC6C3 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0dc337c31b60e59c40b3c4b66153a54b5a75c190226419d79e85c67cff8ed99
Instruction ID: 1897558639b5814e2e5fd7a8664c1ae8dc2d19f8559f81b444d7a2ec48490a73
Opcode Fuzzy Hash: e0dc337c31b60e59c40b3c4b66153a54b5a75c190226419d79e85c67cff8ed99
Instruction Fuzzy Hash: A83139781183C28BD3E58B2888B0BBBBBD2DF93304F28496ED0DA47292CB254445CB56

Function 0042C45C Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 888aa382685d0caeac7857589a895e4d05e9bcb5ed8514602e835cd5541883fc
Instruction ID: d85d8e7ba49753ff7f36d3ed97c285ab1e5e24199585a0ad528ba1d19501f263
Opcode Fuzzy Hash: 888aa382685d0caeac7857589a895e4d05e9bcb5ed8514602e835cd5541883fc
Instruction Fuzzy Hash: B7313B602083A15BD3B58B2864B077F7BD2DF87304F68496DD0C9872A2D7289485C74E

Function 0042ADF4 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184c9a32383a48190f2719d2aadad879d32520f34a2a0851a9020504aa8db94d
Instruction ID: eb231649460b60e8b645cff36354959ad8fc4f47b4bc3ecb8744b755d441be80
Opcode Fuzzy Hash: 184c9a32383a48190f2719d2aadad879d32520f34a2a0851a9020504aa8db94d
Instruction Fuzzy Hash: AC3191A02083E18BDB358F2491207FBBBE0AB93259F54499DC7D9A7683D7384017CB5E

Function 024A89C0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 546c49f651c2ee0ec7203154adbd460b810419c4e5ed9a3c8b647bf01d903c3f
Instruction ID: 7ca21e3234f8b6694d054e6d93b430c09175b952ea1641c4298216a1dcbd43af
Opcode Fuzzy Hash: 546c49f651c2ee0ec7203154adbd460b810419c4e5ed9a3c8b647bf01d903c3f
Instruction Fuzzy Hash: 183144726183448FC724CF648CA06BBB762EFA6748F1D853EDA8683741D775C9018B46

Function 0248DA09 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9879a937105e083bd9aef7d9b8e876d5a873d896f238b78d14b88aad6da131cd
Instruction ID: 6a2af28f1fb56cc36e3fa169f1384b26f7e51cefd07ca25af218a68f0aaab131
Opcode Fuzzy Hash: 9879a937105e083bd9aef7d9b8e876d5a873d896f238b78d14b88aad6da131cd
Instruction Fuzzy Hash: 8631C834A2A501DAE765BB25CC4073A7767FBC6305F78952ED0C1936E8DB349C52CB14

Function 0040D7A2 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8b6e21541edddda7d0cafdb5479713d3008093deab5e063b60f74b86252a7a36
Instruction ID: 608a5c001c9016f47e6d849a3a7bf8eb37f8ca910ed307557679ae7e480cd3ab
Opcode Fuzzy Hash: 8b6e21541edddda7d0cafdb5479713d3008093deab5e063b60f74b86252a7a36
Instruction Fuzzy Hash: 9F31F139E146009AE325AB598C807377753FBC7300F68D13EE092A32E9DA38AC16874D

Function 024BBC08 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9112804f8139e9297ba88e3742caefcf6529a162b57808c6ac39dfffa7ef667e
Instruction ID: 37ba2d6212f0e4bfb1f23e9c6c8f6fdf5c328a5282f30d0e6be11af4c26e01b2
Opcode Fuzzy Hash: 9112804f8139e9297ba88e3742caefcf6529a162b57808c6ac39dfffa7ef667e
Instruction Fuzzy Hash: F9213B2170879107D719DE3988D127BF7E39FC7119F18C63FC8A2876D5CA30D9068604

Function 0043B9A1 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9112804f8139e9297ba88e3742caefcf6529a162b57808c6ac39dfffa7ef667e
Instruction ID: 4f1d9a8e55b01d87ed81b452fa3618ff49b1b83c19e4b1c484c24ed6b64955da
Opcode Fuzzy Hash: 9112804f8139e9297ba88e3742caefcf6529a162b57808c6ac39dfffa7ef667e
Instruction Fuzzy Hash: 78212921718B550BD728DE3988D132BF7D39BCB210F48D63EC5938B2D6CA34D9054688

Function 02496544 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbddf629d58ab5b7ce3c6d341b6087eefabcc06d9ed1031e48f954126914271b
Instruction ID: 53a8eecb4edcad1944e89d80f86ae646f279df54e3ef8f40f633b39275c45079
Opcode Fuzzy Hash: fbddf629d58ab5b7ce3c6d341b6087eefabcc06d9ed1031e48f954126914271b
Instruction Fuzzy Hash: 8721F634614B019FD761CF28D880F27BBA3EBC6724F258668D595477A5DB30EC42CB54

Function 0043BF40 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201c4f8f0819f68cd48f73e785265dbdbac7085615a68ae6b401f2b6715c5eb6
Instruction ID: c284272cbe1354c2bac86839248cf07ee5637eab11ef42c9faf85a1953e6744e
Opcode Fuzzy Hash: 201c4f8f0819f68cd48f73e785265dbdbac7085615a68ae6b401f2b6715c5eb6
Instruction Fuzzy Hash: B521217AA08225CFCB04DF24E88466AF3A0FF4A714F5A947ED5858B241D3309E90CF86

Function 02482E37 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c3b5f98540c4edbfb2bfe1cd8306b70007439d23ccf1357e9be793c2fe8105
Instruction ID: b96faad36df9bec707c24d3aa48d4674efc2e3ec6492beaf23e87ea6b6714af9
Opcode Fuzzy Hash: d6c3b5f98540c4edbfb2bfe1cd8306b70007439d23ccf1357e9be793c2fe8105
Instruction Fuzzy Hash: CD112733F265A147A350FE379CD862B6383E7C5214B1A0135EE42C7381CB72F902E294

Function 00402BD0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c3b5f98540c4edbfb2bfe1cd8306b70007439d23ccf1357e9be793c2fe8105
Instruction ID: d3efd499d3fbc33036e2032367fc91d0155dae543bbe3474a39f1f7b468c3dc9
Opcode Fuzzy Hash: d6c3b5f98540c4edbfb2bfe1cd8306b70007439d23ccf1357e9be793c2fe8105
Instruction Fuzzy Hash: 4A11B273F2A92107F3549E369C9C21B6352E7C531471A0535D941A72C1CA79F902E168

Function 024A552B Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3217eddf26d73e13bed4335cf48e091058d425e1d7b0796f7844dc1e666736a
Instruction ID: 2ae32c99da0c37c3c817af64148525931b4e9dc37609f5ee8fae64d7a3d152b9
Opcode Fuzzy Hash: c3217eddf26d73e13bed4335cf48e091058d425e1d7b0796f7844dc1e666736a
Instruction Fuzzy Hash: EE110131A443409BCB18CF64D9E1A7FB3B1ABAA305F88543EA5D2C3391C374C8018B46

Function 024BB3FC Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c97935eddf75c305e2d2b65cd8ba00c8eb118628fa0640b3156059a25bc93e
Instruction ID: a3bebf31a3e1a0755c57bac4ae011399ec0b3d644d63da755b126511517c75fa
Opcode Fuzzy Hash: 44c97935eddf75c305e2d2b65cd8ba00c8eb118628fa0640b3156059a25bc93e
Instruction Fuzzy Hash: 1C118C75A587044FC319EFA4ECC027BB3A0FF96314F19853C89E607750D7608D108609

Function 0043B195 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c97935eddf75c305e2d2b65cd8ba00c8eb118628fa0640b3156059a25bc93e
Instruction ID: 20ca1e341728769f683a14c7d19e02f3155232ce684509dc4d83bd4e8ff0b8df
Opcode Fuzzy Hash: 44c97935eddf75c305e2d2b65cd8ba00c8eb118628fa0640b3156059a25bc93e
Instruction Fuzzy Hash: 72112575A587048FC318EFA4ACC837BB3A4EB8A311F29953D86A647350DB608D118689

Function 02494806 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c82fc671e06e79b78df2e2b48bef573e4aa83533a2b75342557a0be53bb444
Instruction ID: 8c2434230611f9a81e383c74aa922dad9da981a7ab8050aaa794470a2180fdfd
Opcode Fuzzy Hash: f5c82fc671e06e79b78df2e2b48bef573e4aa83533a2b75342557a0be53bb444
Instruction Fuzzy Hash: 9A0126347042805AFB588B28CC51B3BB753EBD6700F65912EE1819B2D1EE708C428B06

Function 024B3897 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 9a8e885c7f9efbaa7ccb81eed218e0b4b069263c46cb091c2d1049474730d0d2
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 7611C233A051E40EC7178D3D84005B9BFE30E97535B1983DAF4B89B2D2D6238D8A9761

Function 00433630 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: b28cf3c768fcd90dd8a03dd2320e21e507999ec1ebf4a65f37eb71fdd5601da6
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: E011EC336051D41EC3268D3C8400565BF930AA7636F5953DAF4B49B3D2D52A8E8A8759

Function 024A9C17 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: babb52ce3867e81688af6e2cbfc925ee92a6f3f8cd139ab93b6cbf9c46b7bedb
Instruction ID: eee7506c66ed3c3c0bdfe6248444f1f74c2cf0a9a261cc4568fc2b2826e0d8e3
Opcode Fuzzy Hash: babb52ce3867e81688af6e2cbfc925ee92a6f3f8cd139ab93b6cbf9c46b7bedb
Instruction Fuzzy Hash: 7501F2F1700B018BE720EE12C5E0B3BB2EA6FA1714F18443EC90947700DF72E805CAA5

Function 024A55B3 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b4345849cd0f47e80d1ed5c22eab79d945ad8a979d27bd12cd0f1252f48fec
Instruction ID: 57ddd62bfad8b92166875c3be1d47621922731effecd430b939eae1ff2ba19d6
Opcode Fuzzy Hash: 08b4345849cd0f47e80d1ed5c22eab79d945ad8a979d27bd12cd0f1252f48fec
Instruction Fuzzy Hash: 4A11E2367543404FD718CF68D9E06BBB3E19B9A301F89543E9482C3390CBB8C9068B46

Function 004299B0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d722c01a8bd2e68c804006294bc8a0889be745f601f03f4d9d5de63ddc943046
Instruction ID: 55029b9e38fdfb0df3b4b8151af6569af59bc0d0f5a25f3444c4cc7de86b0466
Opcode Fuzzy Hash: d722c01a8bd2e68c804006294bc8a0889be745f601f03f4d9d5de63ddc943046
Instruction Fuzzy Hash: E001B1F1B0035257DB209F55B4C1B27B2A86F95718F08443EE80867342DB7DFC44C2AA

Function 024B6C3B Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 358e2d3b4c42a0c731e3efba7596486553403020c12b89a5f8a1758b9ddfefcd
Instruction ID: 8825b0ee1c5aa2ff49e9047f8f4162c21f1c9810d4e812afc32bf93845622f9e
Opcode Fuzzy Hash: 358e2d3b4c42a0c731e3efba7596486553403020c12b89a5f8a1758b9ddfefcd
Instruction Fuzzy Hash: 34116B756042005BD3129F25CC80E7BB7FAEFE6701F25943EE78057255DB308852A736

Function 0248EAA2 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 009d4c94d368716b5c6a07810fd56c9ecea920436c5469bb2fcdecc493a6d2d4
Instruction ID: 05ba769efe85f72c2f71f363c25530b9b77f569686cd2fd050e3b885506edb5b
Opcode Fuzzy Hash: 009d4c94d368716b5c6a07810fd56c9ecea920436c5469bb2fcdecc493a6d2d4
Instruction Fuzzy Hash: 6011E3747507804FD3199F24CCD1E66B7A3ABC6318719853DB8429BB92C67CA805CB64

Function 0248C030 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9189c4c3175398eb84fc80681e1c6dfaa05d9782f835bdc2878a97ad02b88055
Instruction ID: 16578d3c4a83003f04d137e1d300357a8e4ba0a1c42718879a7f7822fc840aee
Opcode Fuzzy Hash: 9189c4c3175398eb84fc80681e1c6dfaa05d9782f835bdc2878a97ad02b88055
Instruction Fuzzy Hash: C311A071608341ABD7249F29DD9077FBBE2EBC2254F15AE2CE59653791C630C841CB0A

Function 00AFA923 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672490969.0000000000AFA000.00000040.00000020.00020000.00000000.sdmp, Offset: 00AFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_afa000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: d5e26560902b58f0b1db40241e8fa95519b53482a17fad62b6516265547938ab
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: E3115EB23401049FD754DF95DCC1EE673EAEB99320B2A8065EA08CB316D6B5EC41C761

Function 0040E83B Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 009d4c94d368716b5c6a07810fd56c9ecea920436c5469bb2fcdecc493a6d2d4
Instruction ID: 78b4a12427cc173d586094b37f3e700b38d0ff2ce6b24877113fcbe6adf3e26f
Opcode Fuzzy Hash: 009d4c94d368716b5c6a07810fd56c9ecea920436c5469bb2fcdecc493a6d2d4
Instruction Fuzzy Hash: D71127717507404FD3189F25CCD2A637772ABC6314705893DB8519BBD3C67CAC0587A8

Function 0040BDC9 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9189c4c3175398eb84fc80681e1c6dfaa05d9782f835bdc2878a97ad02b88055
Instruction ID: 5bf83162093d809aa6a095f83f940cb60b386281fae2fad957a8694bd2eb5c71
Opcode Fuzzy Hash: 9189c4c3175398eb84fc80681e1c6dfaa05d9782f835bdc2878a97ad02b88055
Instruction Fuzzy Hash: 3911E071608341ABD7149F29DD9067FBBE2EBC2354F14AE2CE59253790C630C841CB4A

Function 02480D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 34064763689ac3de6fc2931be55773beff4606bcf56ef1d504eadd77b2d196bf
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 2E01F272A306008FDF21EF20C905BBF33E5FB86306F0550A6D90A97381E370A8498B80

Function 024A70E4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ed9741b84afb298707877cb2535680f06aa68bf492e7e97af849109ca09354
Instruction ID: e8084dc5e7dfcc4d519ce80bab3f29eab8306755998803453d0699d00f7e5f29
Opcode Fuzzy Hash: 19ed9741b84afb298707877cb2535680f06aa68bf492e7e97af849109ca09354
Instruction Fuzzy Hash: 3EF06DB5E0C3848BC718DF28C45063AFBE5AB9A700F10A93ED48AA3341DB31D545CB4A

Function 024A7797 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c062fd088646d19ef1d8bd4d71c411c976c3123481e9341e85681c4dc346f69
Instruction ID: 105713abdaea2eefd27ce6dba229579eaed4e6cae262987884b2b04d67898584
Opcode Fuzzy Hash: 1c062fd088646d19ef1d8bd4d71c411c976c3123481e9341e85681c4dc346f69
Instruction Fuzzy Hash: BAF069B410D3919FC300DF29D29051BFFE0ABD5318F64EA5CE8DA5B212D334C5028B4A

Function 024A54D1 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15be5673a4952075455a6c2d450438e7f22dd3e3a56e71dfeee11c81b82dc352
Instruction ID: 54f6791b19feaab174315a8068ce3548ef6630c58af0954641ad5995dfcb3488
Opcode Fuzzy Hash: 15be5673a4952075455a6c2d450438e7f22dd3e3a56e71dfeee11c81b82dc352
Instruction Fuzzy Hash: 1CF0EDB1A88301BAF6258A01CC43F6BB6B89B55B04F301519B344790E0E5E1B5498B1E

Function 0042526A Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5a1a9362cca19039c8d3fa2776169205ee0034e021f5660f97d99573220aa2
Instruction ID: 26823722f3a6afcc10447d79cbf8b06261be6e3c3bcefc34e32834821d37eed0
Opcode Fuzzy Hash: fd5a1a9362cca19039c8d3fa2776169205ee0034e021f5660f97d99573220aa2
Instruction Fuzzy Hash: D4F0EDB5A88301BAF6248A00DD43F67B6A89755B04F301519B344790E1E5E1F559870E

Function 024BAD19 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 130b8f035e0f9caf36d69ffe2fe00e5717c81f35e5d13109d0f780a603360f32
Instruction ID: 3f0327492912c326d74bc6b1bae2584806e2ff85f78facd436f9c1379979bcc7
Opcode Fuzzy Hash: 130b8f035e0f9caf36d69ffe2fe00e5717c81f35e5d13109d0f780a603360f32
Instruction Fuzzy Hash: 94F0A735B457808BEB04CF38E82199BBBE6E787228F145A7DD641D3751DB39C4018605

Function 0043AAB2 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 130b8f035e0f9caf36d69ffe2fe00e5717c81f35e5d13109d0f780a603360f32
Instruction ID: fe1efda9bcc16308283c5424634e62067ac2dc8fe4a9505e7820fcb65e305570
Opcode Fuzzy Hash: 130b8f035e0f9caf36d69ffe2fe00e5717c81f35e5d13109d0f780a603360f32
Instruction Fuzzy Hash: B1F0A735B456808BE704CF38D82155BBBE2E38B324F185A7DD681D3751D639C8018609

Function 024A63B6 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7004a593075d1604d820592827f960a74d411a36b63cc4088cdb0a0f645b001a
Instruction ID: 80fbaeeab38f874a1026c3ded23ccaa1ef9bb188e1373d2453640531e5596f5f
Opcode Fuzzy Hash: 7004a593075d1604d820592827f960a74d411a36b63cc4088cdb0a0f645b001a
Instruction Fuzzy Hash: F2D02E2480C63AC20E2A0E1401301BEA72A0A23505B0F59E6DCE1BF282CBE2C80B4358

Function 024BC268 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f376952ae625b8b9e581a4d9adace311e733e6b5fc1a80656dd2f6c93a6218
Instruction ID: 979b3066809f2b39c8d4e254b46c6f556eea9d2a5e27a8b6f776bea0b7d6dcb5
Opcode Fuzzy Hash: 39f376952ae625b8b9e581a4d9adace311e733e6b5fc1a80656dd2f6c93a6218
Instruction Fuzzy Hash: 1AB002759486418FC644DF18D584974F7F5AB0B211F1564549589E7222D220D8408A19

Function 024BC79B Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89a247458966beb6ee1323d7209a08a94252eab5608dc6956c606f04d9c1587d
Instruction ID: 10c72ce3a0ca8e08a8575cf423c81d1ec4165de9f21f41d416b206e48e332a4b
Opcode Fuzzy Hash: 89a247458966beb6ee1323d7209a08a94252eab5608dc6956c606f04d9c1587d
Instruction Fuzzy Hash: FDA00239E5C40197CA08CF20A854871E2BA6B5F204FA134288106B7C52D951D500854C

Function 024A559D Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbeba292ae877db911bd2f22180c16664a0dc2a699d78ed72cdc2ede8be8a5c3
Instruction ID: 70204a4f19da818e306c590333116dd845209fb171f96af6639338c1a50bb7b2
Opcode Fuzzy Hash: dbeba292ae877db911bd2f22180c16664a0dc2a699d78ed72cdc2ede8be8a5c3
Instruction Fuzzy Hash: 38B00254855145D6D704CF10D905575F270BF43705F10F655A40437160D3B4C248870E

Function 024B1337 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 114clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 024B1347
GetWindowLongW.USER32 ref: 024B136C
GetClipboardData.USER32 ref: 024B137C
GlobalLock.KERNEL32 ref: 024B1395
GlobalUnlock.KERNEL32 ref: 024B14A7
CloseClipboard.USER32 ref: 024B14B0

Strings

j, xrefs: 024B1411
(, xrefs: 024B1425
P, xrefs: 024B1402
W, xrefs: 024B140C
x, xrefs: 024B13E4
], xrefs: 024B13F8

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: ($P$W$]$j$x
API String ID: 2832541153-1642767450
Opcode ID: b4901ee308e120f21ffea64ecbaed060110f6934b44995572f39dda3de49c7f5
Instruction ID: f53a5e1f8ee9b91d7136638630b9b731faa22d6d69be784595d1073ad77bd381
Opcode Fuzzy Hash: b4901ee308e120f21ffea64ecbaed060110f6934b44995572f39dda3de49c7f5
Instruction Fuzzy Hash: 49419F7051C7818ED301AF78999836FBEE09F86314F084A7EE8D986392D6788549C7A3

Function 024AFAA2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 024AFAAC
VariantInit.OLEAUT32 ref: 024AFABF

Strings

Nup=Nu, xrefs: 024AFAAC
L, xrefs: 024AFB41

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: L$Nup=Nu
API String ID: 2610073882-3804805560
Opcode ID: 27f71955ec06eb12b5b306dc881331dba57b9c572ded71c52751796e6aae7b46
Instruction ID: 8b67c78340b8fb1ad4e063d2d18872e235bfd1e7b5bd58e0c5bd348bd25d5f3e
Opcode Fuzzy Hash: 27f71955ec06eb12b5b306dc881331dba57b9c572ded71c52751796e6aae7b46
Instruction Fuzzy Hash: 0D41497110CBC18ED321DB38845865EBFE1ABE6220F188A9DE1F5873E2D675854ACB53

Function 024AE1A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 024AE1AD
VariantInit.OLEAUT32 ref: 024AE1BF

Strings

Nup=Nu, xrefs: 024AE1AD

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: Nup=Nu
API String ID: 2610073882-1345143215
Opcode ID: f4d18ca3644b23d35ddb65be79117136e80e94d7a871d6f0f195a984047f117b
Instruction ID: c47ac124e165963a6aa197f1861c53d1b54321d2fc2bc2458a1a9a625e457040
Opcode Fuzzy Hash: f4d18ca3644b23d35ddb65be79117136e80e94d7a871d6f0f195a984047f117b
Instruction Fuzzy Hash: F2417C31508FC18ED322CB3CC44875ABFD15B56224F088A9CD1F64BBE2D774A509CB52

Function 0042F83B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042F845
VariantInit.OLEAUT32 ref: 0042F858

Strings

L, xrefs: 0042F8DA

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: L
API String ID: 2610073882-2909332022
Opcode ID: 27f71955ec06eb12b5b306dc881331dba57b9c572ded71c52751796e6aae7b46
Instruction ID: 6db3269f84c82bd33a71f1d72ed2fa7cb36160b769e4d9c9dbaa52e299ac7a35
Opcode Fuzzy Hash: 27f71955ec06eb12b5b306dc881331dba57b9c572ded71c52751796e6aae7b46
Instruction Fuzzy Hash: 40413A7110CBC18ED321DB38844865EBFE16BE6220F588AADE5E5873E2D674854ACB53

Function 024AF1F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 024AF200
VariantInit.OLEAUT32 ref: 024AF212

Strings

Nup=Nu, xrefs: 024AF200

Memory Dump Source

Source File: 00000000.00000002.1672750153.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_file.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: Nup=Nu
API String ID: 2610073882-1345143215
Opcode ID: 2af52bf7b63f1e9d409911774e51c7f4f95e0895d44ac2e47339ada86beee338
Instruction ID: 5c9ebda7250813c15707b725df2f3f26e195a21d8a88c969e0d165a94e1e2312
Opcode Fuzzy Hash: 2af52bf7b63f1e9d409911774e51c7f4f95e0895d44ac2e47339ada86beee338
Instruction Fuzzy Hash: FE410A25408FC18ED322DB388459797BFD16B66224F088A9DD0FE4B3D2DB7A6109D762

Function 004322BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004322EE
GetSystemMetrics.USER32 ref: 004322FD

Strings

, xrefs: 004323A8

Memory Dump Source

Source File: 00000000.00000002.1672152226.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1672152226.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: c208063e004baaaa8ceb91fa553bdd71456cfb1a6ec307733573892fb2cdbb50
Instruction ID: c9a1f8c58fc854c7343cd62f2f50c2794f568aca7ada01e3bbf97962732916ca
Opcode Fuzzy Hash: c208063e004baaaa8ceb91fa553bdd71456cfb1a6ec307733573892fb2cdbb50
Instruction Fuzzy Hash: BB3183B09143048FDB40EF69E98965EBBF4BB88304F01853EE499DB360D7749948CF86

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_b4631a8323cfff3c86fa2bf9728a9dd766a124_fc62de6f_a206c1fc-a90c-448e-8e0d-db88e2735579\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3324.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER34CB.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER35E5.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
file.exe

Function 00408790 Relevance: 7.6, APIs: 5, Instructions: 146
threadCOMMON

Function 00AFB046 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 0040B44C Relevance: 1.6, Strings: 1, Instructions: 345
COMMON

Function 0043A9B0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 0248003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 0043AB0B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57
COMMON

Function 02480E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 0043AB91 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Function 00438E70 Relevance: 1.5, APIs: 1, Instructions: 13
memoryCOMMON

Function 00438E47 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Function 00438E51 Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON