Edit tour

Windows Analysis Report
asd.exe

Overview

General Information

Sample name:	asd.exe
Analysis ID:	1585823
MD5:	48ae927ff130dd0e9883d41a9cdf6514
SHA1:	9afa190d5e46e32aec767e2f3d366e268ce5b0ce
SHA256:	e6c75ba5d611e79d680ea437a8d874d2d001003fd2297c0f20f1ed06471bc002
Tags:	exelummamalwareuser-Joker
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

LummaC encrypted strings found

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

asd.exe (PID: 4124 cmdline: "C:\Users\user\Desktop\asd.exe" MD5: 48AE927FF130DD0E9883D41A9CDF6514)

WerFault.exe (PID: 3524 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 1004 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["immureprech.biz", "wrathful-jammy.cyou", "sordid-snaked.cyou", "brendon-sharjen.biz", "diffuculttan.xyz", "awake-weaves.cyou", "debonairnukk.xyz", "deafeninggeh.biz", "effecterectz.xyz"], "Build id": "HpOoIh--2a727a032c4d"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2209463629.00000000004A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xbe7:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T10:08:55.929255+0100	2028371	3	Unknown Traffic	192.168.2.5	49704	104.102.49.254	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T10:08:55.231855+0100	2058210	1	Domain Observed Used for C2 Detected	192.168.2.5	49789	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brendon-sharjen .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T10:08:55.124061+0100	2058039	1	Domain Observed Used for C2 Detected	192.168.2.5	51699	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T10:08:55.162090+0100	2058214	1	Domain Observed Used for C2 Detected	192.168.2.5	54581	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T10:08:55.208163+0100	2058216	1	Domain Observed Used for C2 Detected	192.168.2.5	57137	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T10:08:55.194566+0100	2058218	1	Domain Observed Used for C2 Detected	192.168.2.5	60744	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T10:08:55.172916+0100	2058220	1	Domain Observed Used for C2 Detected	192.168.2.5	52583	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T10:08:55.136099+0100	2058222	1	Domain Observed Used for C2 Detected	192.168.2.5	56649	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T10:08:55.250757+0100	2058226	1	Domain Observed Used for C2 Detected	192.168.2.5	65134	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T10:08:55.220529+0100	2058236	1	Domain Observed Used for C2 Detected	192.168.2.5	61799	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T10:08:56.442985+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.5	49704	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: asd.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://effecterectz.xyz/j	Avira URL Cloud: Label: malware
Source: https://effecterectz.xyz/z	Avira URL Cloud: Label: malware
Source: brendon-sharjen.biz	Avira URL Cloud: Label: malware
Source: https://effecterectz.xyz/r	Avira URL Cloud: Label: malware
Source: https://debonairnukk.xyz/apij	Avira URL Cloud: Label: malware
Source: https://effecterectz.xyz/B	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.asd.exe.400000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["immureprech.biz", "wrathful-jammy.cyou", "sordid-snaked.cyou", "brendon-sharjen.biz", "diffuculttan.xyz", "awake-weaves.cyou", "debonairnukk.xyz", "deafeninggeh.biz", "effecterectz.xyz"], "Build id": "HpOoIh--2a727a032c4d"}

Multi AV Scanner detection for submitted file

Source: asd.exe	ReversingLabs: Detection: 76%
Source: asd.exe	Virustotal: Detection: 75%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: asd.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000003.2011325385.0000000000680000.00000004.00001000.00020000.00000000.sdmp	String decryptor: sordid-snaked.cyou
Source: 00000000.00000003.2011325385.0000000000680000.00000004.00001000.00020000.00000000.sdmp	String decryptor: awake-weaves.cyou
Source: 00000000.00000003.2011325385.0000000000680000.00000004.00001000.00020000.00000000.sdmp	String decryptor: wrathful-jammy.cyou
Source: 00000000.00000003.2011325385.0000000000680000.00000004.00001000.00020000.00000000.sdmp	String decryptor: debonairnukk.xyz
Source: 00000000.00000003.2011325385.0000000000680000.00000004.00001000.00020000.00000000.sdmp	String decryptor: diffuculttan.xyz
Source: 00000000.00000003.2011325385.0000000000680000.00000004.00001000.00020000.00000000.sdmp	String decryptor: effecterectz.xyz
Source: 00000000.00000003.2011325385.0000000000680000.00000004.00001000.00020000.00000000.sdmp	String decryptor: deafeninggeh.biz
Source: 00000000.00000003.2011325385.0000000000680000.00000004.00001000.00020000.00000000.sdmp	String decryptor: immureprech.biz
Source: 00000000.00000003.2011325385.0000000000680000.00000004.00001000.00020000.00000000.sdmp	String decryptor: brendon-sharjen.biz
Source: 00000000.00000003.2011325385.0000000000680000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000003.2011325385.0000000000680000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000003.2011325385.0000000000680000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000003.2011325385.0000000000680000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000003.2011325385.0000000000680000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000003.2011325385.0000000000680000.00000004.00001000.00020000.00000000.sdmp	String decryptor: HpOoIh--2a727a032c4d

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\asd.exe

Unpacked PE file: 0.2.asd.exe.400000.0.unpack

Source: asd.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\asd.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then cmp dword ptr [edx+ebx*8], AF697AECh	0_2_00439BE8
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ecx, byte ptr [ebp+eax-10h]	0_2_0043A55A
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then push A0E75166h	0_2_0040AE60
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E1A2961Bh	0_2_00439F2D
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then jmp ecx	0_2_00423040
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	0_2_00429070
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov edx, ecx	0_2_0042A80B
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov ecx, eax	0_2_0042A80B
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov edi, ecx	0_2_0040C830
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_0042A03C
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov ecx, eax	0_2_0042B0DE
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ecx, byte ptr [esi]	0_2_0042B0DE
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov ecx, eax	0_2_00429E89
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ecx, byte ptr [esi]	0_2_00429E89
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov ecx, ebx	0_2_004278FF
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], E785F9BAh	0_2_004278FF
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+000003B2h]	0_2_004298A0
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov ebx, eax	0_2_00405940
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov ebp, eax	0_2_00405940
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edx]	0_2_00439140
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h	0_2_00422154
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+00h]	0_2_004029D0
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], E785F9BAh	0_2_004149D2
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then jmp ecx	0_2_004231E0
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h	0_2_004389F0
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], A2347758h	0_2_004389F0
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov ebx, edi	0_2_0041CA40
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then lea edx, dword ptr [eax+00000270h]	0_2_00408A50
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-00000085h]	0_2_0041826E
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ebx+06h]	0_2_00409270
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then push esi	0_2_00420273
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00415230
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov byte ptr [eax], bl	0_2_0040E2D5
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+esi+2B788957h]	0_2_0040E2D5
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+ecx+38h]	0_2_0040C2DA
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov eax, ebx	0_2_004282E8
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00428AF0
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h	0_2_00422280
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-3A16D4AFh]	0_2_0043B2A0
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68C964F4h]	0_2_0041B2AA
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov dword ptr [esi], 97969554h	0_2_0043A35B
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-5C2FB1A1h]	0_2_0040C37A
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ecx, word ptr [ebx+eax]	0_2_00421380
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+06h]	0_2_00421380
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh	0_2_00426B95
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 5E874B5Fh	0_2_004253A0
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov eax, ebx	0_2_004253A0
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-3A16D4AFh]	0_2_0043B3B0
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov ecx, edx	0_2_0043C410
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0041AC1D
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-3A16D4AFh]	0_2_0043B4C0
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+00000120h]	0_2_0040CCC5
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov word ptr [esi], cx	0_2_00417CE5
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx edx, byte ptr [ecx]	0_2_00415CFC
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then lea esi, dword ptr [eax-01h]	0_2_00419490
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then lea esi, dword ptr [eax-01h]	0_2_00419490
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then lea esi, dword ptr [eax-01h]	0_2_00419490
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_004074A0
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_004074A0
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+00000120h]	0_2_0040DCA0
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-3A16D4AFh]	0_2_0043B550
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+ecx+48EF6323h]	0_2_00439DD7
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then jmp eax	0_2_004245DF
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-3A16D4AFh]	0_2_0043B5E0
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh	0_2_004265F8
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_004275F8
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then test eax, eax	0_2_00435E40
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then add ecx, FFFFFFFEh	0_2_00435E40
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-6Ah]	0_2_00438620
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+181AFBA5h]	0_2_00409630
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-654B9280h]	0_2_00409630
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx eax, word ptr [ebp+00h]	0_2_00436632
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov ecx, eax	0_2_00429ECA
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ecx, byte ptr [esi]	0_2_00429ECA
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov byte ptr [ebp+00h], al	0_2_0041D6F0
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+20h]	0_2_004256A0
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]	0_2_00402F40
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0042A749
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0042A749
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov ecx, eax	0_2_0042B771
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00432770
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov byte ptr [edi], bl	0_2_00408FE0
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], E785F9BAh	0_2_00645064
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], E785F9BAh	0_2_00644FA7
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], E785F9BAh	0_2_0064503C
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+ecx+48EF6323h]	0_2_0066A03E
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then test eax, eax	0_2_006660A7
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then add ecx, FFFFFFFEh	0_2_006660A7
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], 4E935B1Fh	0_2_00652175
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], 4E935B1Fh	0_2_00652177
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov ecx, eax	0_2_0065A131
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ecx, byte ptr [esi]	0_2_0065A131
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then jmp ecx	0_2_006531AB
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E1A2961Bh	0_2_0066A194
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov byte ptr [edi], bl	0_2_00639247
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	0_2_006592D7
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_0065A2A3
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov ecx, eax	0_2_0065A0F0
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ecx, byte ptr [esi]	0_2_0065A0F0
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov ecx, eax	0_2_0065B345
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ecx, byte ptr [esi]	0_2_0065B345
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edx]	0_2_006693A7
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h	0_2_006523BB
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h	0_2_00652465
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then push A0E75166h	0_2_0063B47C
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ebx+06h]	0_2_006394D7
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then push esi	0_2_006504DA
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+ecx+38h]	0_2_0063C541
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov eax, ebx	0_2_0065854F
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov byte ptr [eax], bl	0_2_0063E53C
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+esi+2B788957h]	0_2_0063E53C
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68C964F4h]	0_2_0064B511
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-5C2FB1A1h]	0_2_0063C5E1
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ecx, word ptr [ebx+eax]	0_2_006515E7
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+06h]	0_2_006515E7
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov dword ptr [esi], 97969554h	0_2_0066A5C2
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh	0_2_00654587
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00645663
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov ecx, edx	0_2_0066C677
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 5E874B5Fh	0_2_00655607
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov eax, ebx	0_2_00655607
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then lea esi, dword ptr [eax-01h]	0_2_006496F7
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then lea esi, dword ptr [eax-01h]	0_2_006496F7
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then lea esi, dword ptr [eax-01h]	0_2_006496F7
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_00637707
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_00637707
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ecx, byte ptr [ebp+eax-10h]	0_2_0066A7C1
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00657873
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then jmp eax	0_2_00654845
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-6Ah]	0_2_00668887
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+181AFBA5h]	0_2_00639897
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-654B9280h]	0_2_00639897
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov byte ptr [ebp+00h], al	0_2_0064D957
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+20h]	0_2_00655907
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_006629D7
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx eax, word ptr [ebp+00h]	0_2_006669D7
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov ecx, eax	0_2_0065B9D8
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0065A9B0
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0065A9B0
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-3A16D4AFh]	0_2_0066B987
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov edx, ecx	0_2_0065AA72
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov ecx, eax	0_2_0065AA72
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov edi, ecx	0_2_0063CA97
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+000003B2h]	0_2_00659B07
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov ebx, edi	0_2_0064CBCB
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov ebx, eax	0_2_00635BA7
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov ebp, eax	0_2_00635BA7
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h	0_2_00668C57
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], A2347758h	0_2_00668C57
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+00h]	0_2_00632C37
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov ebx, edi	0_2_0064CCA7
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then lea edx, dword ptr [eax+00000270h]	0_2_00638CB7
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00658D57
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh	0_2_00656DF5
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then cmp dword ptr [edx+ebx*8], AF697AECh	0_2_00669E4F
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-00000085h]	0_2_00648E4E
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], E785F9BAh	0_2_00644EB5
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0064AE84
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx edx, byte ptr [ecx]	0_2_00645F63
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov word ptr [esi], cx	0_2_00647F4C
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+00000120h]	0_2_0063CF2C
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edx-5A3E0FADh]	0_2_0066CF37
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+00000120h]	0_2_0063DF07
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then mov ecx, ebx	0_2_00657FB4
Source: C:\Users\user\Desktop\asd.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], E785F9BAh	0_2_00657FB4

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058218 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz) : 192.168.2.5:60744 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058210 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou) : 192.168.2.5:49789 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058222 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz) : 192.168.2.5:56649 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058039 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brendon-sharjen .biz) : 192.168.2.5:51699 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058216 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz) : 192.168.2.5:57137 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058214 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz) : 192.168.2.5:54581 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058226 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou) : 192.168.2.5:65134 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058236 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou) : 192.168.2.5:61799 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058220 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz) : 192.168.2.5:52583 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49704 -> 104.102.49.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: immureprech.biz
Source: Malware configuration extractor	URLs: wrathful-jammy.cyou
Source: Malware configuration extractor	URLs: sordid-snaked.cyou
Source: Malware configuration extractor	URLs: brendon-sharjen.biz
Source: Malware configuration extractor	URLs: diffuculttan.xyz
Source: Malware configuration extractor	URLs: awake-weaves.cyou
Source: Malware configuration extractor	URLs: debonairnukk.xyz
Source: Malware configuration extractor	URLs: deafeninggeh.biz
Source: Malware configuration extractor	URLs: effecterectz.xyz

Performs DNS queries to domains with low reputation

Source:	DNS query: effecterectz.xyz
Source:	DNS query: diffuculttan.xyz
Source:	DNS query: debonairnukk.xyz

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 104.102.49.254:443

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: #vContent-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=b95b21e4af153b8c7d622a80; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveWed, 08 Jan 2025 09:08:56 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: asd.exe, 00000000.00000003.2027045891.0000000000766000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000002.2209971273.0000000000766000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout. equals www.youtube.com (Youtube)
Source: asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: brendon-sharjen.biz
Source: global traffic	DNS traffic detected: DNS query: immureprech.biz
Source: global traffic	DNS traffic detected: DNS query: deafeninggeh.biz
Source: global traffic	DNS traffic detected: DNS query: effecterectz.xyz
Source: global traffic	DNS traffic detected: DNS query: diffuculttan.xyz
Source: global traffic	DNS traffic detected: DNS query: debonairnukk.xyz
Source: global traffic	DNS traffic detected: DNS query: wrathful-jammy.cyou
Source: global traffic	DNS traffic detected: DNS query: awake-weaves.cyou
Source: global traffic	DNS traffic detected: DNS query: sordid-snaked.cyou
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026960253.0000000000717000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026960253.0000000000717000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026960253.0000000000717000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000002.2209649051.000000000070A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=SCXpgixTDzt4&a
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000002.2209649051.000000000070A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000002.2209649051.000000000070A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000002.2209649051.000000000070A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=fh8YN-Pt
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000002.2209649051.000000000070A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=d_Qf
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: asd.exe, 00000000.00000003.2012651136.000000000071E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deafeninggeh.biz/
Source: asd.exe	String found in binary or memory: https://debonairnukk.xyz/api
Source: asd.exe, 00000000.00000003.2026960253.0000000000739000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000002.2209649051.0000000000739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://debonairnukk.xyz/apij
Source: asd.exe, 00000000.00000003.2026960253.0000000000739000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000002.2209649051.0000000000739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://diffuculttan.xyz/api
Source: asd.exe, 00000000.00000003.2012651136.000000000071E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://effecterectz.xyz/
Source: asd.exe, 00000000.00000003.2012651136.000000000071E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://effecterectz.xyz/B
Source: asd.exe, 00000000.00000003.2012651136.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://effecterectz.xyz/api
Source: asd.exe, 00000000.00000003.2012651136.000000000071E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://effecterectz.xyz/j
Source: asd.exe, 00000000.00000003.2012651136.000000000071E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://effecterectz.xyz/r
Source: asd.exe, 00000000.00000003.2012651136.000000000071E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://effecterectz.xyz/z
Source: asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000002.2209649051.000000000070A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: asd.exe, 00000000.00000003.2026960253.0000000000739000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000002.2209649051.0000000000739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/i
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026960253.0000000000717000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: asd.exe, 00000000.00000002.2209649051.000000000071E000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026960253.0000000000739000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026960253.000000000071E000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000002.2209649051.0000000000739000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: asd.exe, 00000000.00000002.2209649051.000000000071E000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026960253.000000000071E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900:
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: asd.exe, 00000000.00000002.2209911439.0000000000753000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: asd.exe, 00000000.00000002.2209911439.0000000000753000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026960253.0000000000717000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shopN
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026960253.0000000000717000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: C:\Users\user\Desktop\asd.exe

Code function: 0_2_004301D0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

0_2_004301D0

Source: C:\Users\user\Desktop\asd.exe

Code function: 0_2_004301D0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

0_2_004301D0

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2209463629.00000000004A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0040B9AF	0_2_0040B9AF
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0040AE60	0_2_0040AE60
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00408690	0_2_00408690
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00423040	0_2_00423040
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00434870	0_2_00434870
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00412010	0_2_00412010
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0040C830	0_2_0040C830
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0042A03C	0_2_0042A03C
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_004158D6	0_2_004158D6
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_004340EF	0_2_004340EF
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_004160F1	0_2_004160F1
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_004278FF	0_2_004278FF
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00427080	0_2_00427080
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00435090	0_2_00435090
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00405940	0_2_00405940
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0043395D	0_2_0043395D
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0041D170	0_2_0041D170
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00438110	0_2_00438110
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0042A9C4	0_2_0042A9C4
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_004149D2	0_2_004149D2
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_004231E0	0_2_004231E0
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_004389F0	0_2_004389F0
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0043C990	0_2_0043C990
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0040A9B0	0_2_0040A9B0
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0041CA40	0_2_0041CA40
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0042AA62	0_2_0042AA62
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0041826E	0_2_0041826E
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00409270	0_2_00409270
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0041C200	0_2_0041C200
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00406230	0_2_00406230
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00415230	0_2_00415230
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00434AD0	0_2_00434AD0
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0040E2D5	0_2_0040E2D5
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_004282E8	0_2_004282E8
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0042228A	0_2_0042228A
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0041BAA0	0_2_0041BAA0
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0043B2A0	0_2_0043B2A0
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0042D32A	0_2_0042D32A
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00421380	0_2_00421380
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00402B90	0_2_00402B90
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_004253A0	0_2_004253A0
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_004353A0	0_2_004353A0
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0043B3B0	0_2_0043B3B0
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0042E440	0_2_0042E440
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0040FC0A	0_2_0040FC0A
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0043C410	0_2_0043C410
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0042B429	0_2_0042B429
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00404C30	0_2_00404C30
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0043B4C0	0_2_0043B4C0
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00417CE5	0_2_00417CE5
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00419490	0_2_00419490
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0040D49A	0_2_0040D49A
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_004074A0	0_2_004074A0
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00424CA0	0_2_00424CA0
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0041D4B0	0_2_0041D4B0
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0043B550	0_2_0043B550
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0041CD60	0_2_0041CD60
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0042FD60	0_2_0042FD60
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00422500	0_2_00422500
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_004145C0	0_2_004145C0
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0043B5E0	0_2_0043B5E0
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_004265F8	0_2_004265F8
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00416D85	0_2_00416D85
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00435E40	0_2_00435E40
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00427E72	0_2_00427E72
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00409630	0_2_00409630
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00436632	0_2_00436632
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_004066C0	0_2_004066C0
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_004256C0	0_2_004256C0
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00429ECA	0_2_00429ECA
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0041D6F0	0_2_0041D6F0
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00405E90	0_2_00405E90
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_004256A0	0_2_004256A0
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0043C6A0	0_2_0043C6A0
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00402F40	0_2_00402F40
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0042A749	0_2_0042A749
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00420720	0_2_00420720
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0040CF2B	0_2_0040CF2B
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0040D738	0_2_0040D738
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00408FE0	0_2_00408FE0
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0041E7F0	0_2_0041E7F0
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0041A790	0_2_0041A790
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00420FA0	0_2_00420FA0
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_004A2F68	0_2_004A2F68
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00645064	0_2_00645064
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00644FA7	0_2_00644FA7
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0064503C	0_2_0064503C
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_006360F7	0_2_006360F7
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_006660A7	0_2_006660A7
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0065A131	0_2_0065A131
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0063D192	0_2_0063D192
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00642277	0_2_00642277
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00639247	0_2_00639247
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00651207	0_2_00651207
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_006652F7	0_2_006652F7
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0065A2A3	0_2_0065A2A3
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00668377	0_2_00668377
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00664356	0_2_00664356
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00646358	0_2_00646358
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0064D3D7	0_2_0064D3D7
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0064C467	0_2_0064C467
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_006394D7	0_2_006394D7
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00636497	0_2_00636497
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00634567	0_2_00634567
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0065854F	0_2_0065854F
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0063E53C	0_2_0063E53C
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_006515E7	0_2_006515E7
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0065D591	0_2_0065D591
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0066C677	0_2_0066C677
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00665607	0_2_00665607
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00655607	0_2_00655607
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_006496F7	0_2_006496F7
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0065E6A7	0_2_0065E6A7
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0065B690	0_2_0065B690
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0063D701	0_2_0063D701
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00637707	0_2_00637707
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0064D717	0_2_0064D717
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_006388F7	0_2_006388F7
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00639897	0_2_00639897
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0064D957	0_2_0064D957
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00636927	0_2_00636927
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0066C907	0_2_0066C907
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0064A9F7	0_2_0064A9F7
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_006489D3	0_2_006489D3
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0065A9B0	0_2_0065A9B0
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00650987	0_2_00650987
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0063D99F	0_2_0063D99F
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0064EA57	0_2_0064EA57
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00664AD7	0_2_00664AD7
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0063CA97	0_2_0063CA97
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00645B3D	0_2_00645B3D
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0066CBF7	0_2_0066CBF7
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00663BC4	0_2_00663BC4
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00635BA7	0_2_00635BA7
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00633BB7	0_2_00633BB7
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00668C57	0_2_00668C57
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0065AC2B	0_2_0065AC2B
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0063AC17	0_2_0063AC17
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0063BC16	0_2_0063BC16
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0065ACC9	0_2_0065ACC9
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0064CCA7	0_2_0064CCA7
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00664D37	0_2_00664D37
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00632DF7	0_2_00632DF7
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0063FE71	0_2_0063FE71
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00648E4E	0_2_00648E4E
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00634E97	0_2_00634E97
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0066CF37	0_2_0066CF37
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0065FFC7	0_2_0065FFC7
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0064CFC7	0_2_0064CFC7

Source: C:\Users\user\Desktop\asd.exe	Code function: String function: 004145B0 appears 76 times
Source: C:\Users\user\Desktop\asd.exe	Code function: String function: 00644817 appears 76 times
Source: C:\Users\user\Desktop\asd.exe	Code function: String function: 00638247 appears 75 times
Source: C:\Users\user\Desktop\asd.exe	Code function: String function: 00407FE0 appears 35 times

Source: C:\Users\user\Desktop\asd.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 1004

Source: asd.exe, 00000000.00000003.2011479430.0000000000770000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesOdilemio@ vs asd.exe
Source: asd.exe, 00000000.00000002.2209400615.000000000046C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesOdilemio@ vs asd.exe
Source: asd.exe	Binary or memory string: OriginalFilenamesOdilemio@ vs asd.exe

Source: asd.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2209463629.00000000004A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/5@10/1

Source: C:\Users\user\Desktop\asd.exe

Code function: 0_2_004A0C15 CreateToolhelp32Snapshot,Module32First,

0_2_004A0C15

Source: C:\Users\user\Desktop\asd.exe

Code function: 0_2_0042F9F9 CoCreateInstance,

0_2_0042F9F9

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4124

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\78172998-d977-4421-b626-7793d5b0ac23

Jump to behavior

Source: asd.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\asd.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: asd.exe	ReversingLabs: Detection: 76%
Source: asd.exe	Virustotal: Detection: 75%

Source: C:\Users\user\Desktop\asd.exe

File read: C:\Users\user\Desktop\asd.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\asd.exe "C:\Users\user\Desktop\asd.exe"
Source: C:\Users\user\Desktop\asd.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 1004

Source: C:\Users\user\Desktop\asd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\asd.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\asd.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\asd.exe

Unpacked PE file: 0.2.asd.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\asd.exe

Unpacked PE file: 0.2.asd.exe.400000.0.unpack

Source: C:\Users\user\Desktop\asd.exe	Code function: 0_3_0073E56C push ecx; ret	0_3_0073E57B
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_3_00742A44 push esp; iretd	0_3_00742A45
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_3_0073D94C push ebp; retf	0_3_0073D94D
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_3_0073C7CC push esi; retf	0_3_0073C7CD
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0043B250 push eax; mov dword ptr [esp], 86858453h	0_2_0043B253
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_004A302A push es; retf	0_2_004A3121
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_004A2F68 push es; retf	0_2_004A3121
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_004A6B60 push 61788011h; ret	0_2_004A6B9E
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_004A2FCD push es; retf	0_2_004A3121
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_004A6BE4 push es; ret	0_2_004A6C04
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_004A59FD push es; retf	0_2_004A5A00
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_004A3588 push ebx; ret	0_2_004A3589
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0066B4B7 push eax; mov dword ptr [esp], 86858453h	0_2_0066B4BA

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\asd.exe TID: 5672	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\asd.exe TID: 4296	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: asd.exe, 00000000.00000002.2209911439.0000000000753000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW5
Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: asd.exe, 00000000.00000002.2209911439.0000000000753000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000002.2209649051.000000000070A000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\asd.exe

Code function: 0_2_00439AF0 LdrInitializeThunk,

0_2_00439AF0

Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_004A04F2 push dword ptr fs:[00000030h]	0_2_004A04F2
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_0063092B mov eax, dword ptr fs:[00000030h]	0_2_0063092B
Source: C:\Users\user\Desktop\asd.exe	Code function: 0_2_00630D90 mov eax, dword ptr fs:[00000030h]	0_2_00630D90

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: asd.exe	String found in binary or memory: debonairnukk.xyz
Source: asd.exe	String found in binary or memory: diffuculttan.xyz
Source: asd.exe	String found in binary or memory: effecterectz.xyz
Source: asd.exe	String found in binary or memory: deafeninggeh.biz
Source: asd.exe	String found in binary or memory: immureprech.biz

Source: C:\Users\user\Desktop\asd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	2 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
asd.exe	76%	ReversingLabs	Win32.Trojan.LummaStealer
asd.exe	75%	Virustotal		Browse
asd.exe	100%	Avira	HEUR/AGEN.1306956
asd.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://effecterectz.xyz/j	100%	Avira URL Cloud	malware
https://effecterectz.xyz/z	100%	Avira URL Cloud	malware
brendon-sharjen.biz	100%	Avira URL Cloud	malware
https://effecterectz.xyz/r	100%	Avira URL Cloud	malware
https://debonairnukk.xyz/apij	100%	Avira URL Cloud	malware
https://effecterectz.xyz/B	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	high
sordid-snaked.cyou	unknown	unknown	false	high
diffuculttan.xyz	unknown	unknown	false	high
effecterectz.xyz	unknown	unknown	false	high
awake-weaves.cyou	unknown	unknown	false	high
immureprech.biz	unknown	unknown	false	high
wrathful-jammy.cyou	unknown	unknown	false	high
deafeninggeh.biz	unknown	unknown	false	high
brendon-sharjen.biz	unknown	unknown	false	high
debonairnukk.xyz	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
sordid-snaked.cyou	false		high
deafeninggeh.biz	false		high
diffuculttan.xyz	false		high
effecterectz.xyz	false		high
wrathful-jammy.cyou	false		high
https://steamcommunity.com/profiles/76561199724331900	false		high
awake-weaves.cyou	false		high
immureprech.biz	false		high
debonairnukk.xyz	false		high
brendon-sharjen.biz	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/my/wishlist/	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://player.vimeo.com	asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	false		high
https://effecterectz.xyz/z	asd.exe, 00000000.00000003.2012651136.000000000071E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/?subsection=broadcasts	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.steampowered.com/en/	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/subscriber_agreement/	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.gstatic.cn/recaptcha/	asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/subscriber_agreement/	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026960253.0000000000717000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	false		high
https://deafeninggeh.biz/	asd.exe, 00000000.00000003.2012651136.000000000071E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026960253.0000000000717000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=d_Qf	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000002.2209649051.000000000070A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net/recaptcha/;	asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.valvesoftware.com/legal.htm	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/discussions/	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com	asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	false		high
https://debonairnukk.xyz/api	asd.exe	false		high
https://store.steampowered.com/stats/	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	false		high
https://medal.tv	asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	false		high
https://broadcast.st.dl.eccdnx.com	asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/steam_refunds/	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026960253.0000000000717000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000002.2209649051.000000000070A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shopN	asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	false		high
https://diffuculttan.xyz/api	asd.exe, 00000000.00000003.2026960253.0000000000739000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000002.2209649051.0000000000739000.00000004.00000020.00020000.00000000.sdmp	false		high
https://s.ytimg.com;	asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/workshop/	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.steampowered.com/	asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb	asd.exe, 00000000.00000002.2209911439.0000000000753000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000002.2209649051.000000000070A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026960253.0000000000717000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	false		high
https://debonairnukk.xyz/apij	asd.exe, 00000000.00000003.2026960253.0000000000739000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000002.2209649051.0000000000739000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/	asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steam.tv/	asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	false		high
https://effecterectz.xyz/B	asd.exe, 00000000.00000003.2012651136.000000000071E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://store.steampowered.com/privacy_agreement/	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026960253.0000000000717000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/i	asd.exe, 00000000.00000003.2026960253.0000000000739000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000002.2209649051.0000000000739000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop/	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net	asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.4.dr	false		high
https://effecterectz.xyz/	asd.exe, 00000000.00000003.2012651136.000000000071E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/	asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000002.2209649051.000000000070A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sketchfab.com	asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	false		high
http://127.0.0.1:27060	asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/privacy_agreement/	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://effecterectz.xyz/api	asd.exe, 00000000.00000003.2012651136.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=fh8YN-Pt	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000002.2209649051.000000000070A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.steampowered.com/	asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.steampowered.com/	asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	false		high
https://effecterectz.xyz/r	asd.exe, 00000000.00000003.2012651136.000000000071E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199724331900:	asd.exe, 00000000.00000002.2209649051.000000000071E000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026960253.000000000071E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/account/cookiepreferences/	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026960253.0000000000717000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/mobile	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/	asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	false		high
https://effecterectz.xyz/j	asd.exe, 00000000.00000003.2012651136.000000000071E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/;	asd.exe, 00000000.00000002.2209911439.0000000000753000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026870925.0000000000751000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/about/	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l	asd.exe, 00000000.00000003.2026582602.000000000079F000.00000004.00000020.00020000.00000000.sdmp, asd.exe, 00000000.00000003.2026582602.0000000000799000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585823
Start date and time:	2025-01-08 10:08:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	asd.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/5@10/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 16 Number of non-executed functions: 221
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22, 20.190.159.75, 20.109.210.53, 13.107.253.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:08:54	API Interceptor	4x Sleep call for process: asd.exe modified
04:09:13	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	/ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	[UPD]Intel_Unit.2.1.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	socolo.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Installer.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.102.49.254
	Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	BnJxmraqlk.exe	Get hash	malicious	LummaC, PrivateLoader	Browse	104.102.49.254
	file.exe	Get hash	malicious	Amadey, Babadeda, LummaC Stealer, Poverty Stealer, PureLog Stealer	Browse	104.102.49.254
	NjFiIQNSid.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	ZxSWvC0Tz7.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	EPSONOPOSADKV3.00ER10.zip	Get hash	malicious	Unknown	Browse	184.28.90.27
	miori.x86.elf	Get hash	malicious	Unknown	Browse	104.123.242.179
	https://pozaweclip.upnana.com/	Get hash	malicious	Unknown	Browse	2.19.126.89
	https://link.edgepilot.com/s/692fcd16/rcPy0yXyykq_mRLKroUvRQ?u=https://petroleumalliance.us8.list-manage.com/track/click?u=325f73d29a0b4f85a46b700a9%26id=dfe369da82%26e=94c2db4428	Get hash	malicious	Unknown	Browse	104.102.57.226
	miori.m68k.elf	Get hash	malicious	Unknown	Browse	104.78.21.149
	miori.m68k.elf	Get hash	malicious	Unknown	Browse	72.247.212.104
	sora.ppc.elf	Get hash	malicious	Unknown	Browse	92.122.166.252
	https://viirtus.com/?uhqubmdv=6b0cf7592247f0ce6faa27a3b42d16a0fdea3bcbc625e658150f2141942e41191a6f5794e3683bbd4b95a6a792b5cafae4f710289eba79c968c11a2e84a1f677	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	104.102.41.166
	[UPD]Intel_Unit.2.1.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	socolo.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	wRhEMj1swo.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	chu4rWexSX.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	xHj1N8ylIf.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	GR7ShhQTKE.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	ab89jay39E.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	wRhEMj1swo.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	[UPD]Intel_Unit.2.1.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	socolo.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Installer.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.102.49.254
	Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_asd.exe_61c5959f5fa884b224fe8127d1a5716d2ad95c_cd7cc746_282e3677-8c36-4a03-9b44-2409570e0382\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9452656963335101
Encrypted:	false
SSDEEP:	96:CSMOamFPZsLh257zffQXIDcQAc6DcEpcw3Zm+HbHg/wWGTf3hOyc45WAU6NCUtWK:hMOnPZG0eHjV3jsFRzuiFcSZ24IO8b
MD5:	394385A391BCE087AEFB997BC06CDEF4
SHA1:	9ECF36F07D51F3D84E1A5C6DBA3588595CAA603A
SHA-256:	0C39BC981592AD0081AB4E3078F77F4449470E49EFE8A5CE7B0FA84B8C679074
SHA-512:	CA16D429297FBDB8ED93C809C4910BDEE3D43D2D95D09D27FFC2BDBFC81C3D396BF307546867C20833E3D0405A597E8CDBFEF256B5FFAA375D77EBAE2CA54BC3
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.8.0.0.9.3.6.0.0.8.8.7.9.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.8.0.0.9.3.6.3.6.8.2.5.3.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.8.2.e.3.6.7.7.-.8.c.3.6.-.4.a.0.3.-.9.b.4.4.-.2.4.0.9.5.7.0.e.0.3.8.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.2.1.6.2.f.2.d.-.b.1.f.9.-.4.5.7.e.-.9.5.2.7.-.5.b.0.c.1.a.0.1.e.8.6.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.a.s.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.1.c.-.0.0.0.1.-.0.0.1.4.-.7.f.7.e.-.4.c.f.0.a.c.6.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.3.a.8.8.e.3.a.0.5.3.2.1.9.1.6.a.d.f.b.8.6.8.4.7.b.8.2.8.f.8.3.0.0.0.0.f.f.f.f.!.0.0.0.0.9.a.f.a.1.9.0.d.5.e.4.6.e.3.2.a.e.c.7.6.7.e.2.f.3.d.3.6.6.e.2.6.8.c.e.5.b.0.c.e.!.a.s.d...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.2././.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE47.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Jan 8 09:08:56 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	52762
Entropy (8bit):	2.7534326038774766
Encrypted:	false
SSDEEP:	192:EfXPUfQM4aIWOp1BFS7knrdy8cgye0sMQNwxsMntmus9EBg0jI/H0r7:zfQraQ7Bc7knvYB09EZU/H87
MD5:	AB15C6A61DA1DFF26CB42B9C46D829CD
SHA1:	615B879E5FE118550D6423DC8154044E2589103C
SHA-256:	AFB7C2C8C592AA1AAF05183061C3B51AB32A5C94DD8AEA9FA5C7CB121C3E306B
SHA-512:	DC5E7BAED6016AF1E10BBA0A1C4BDA32C4DC05608702851B89DC5701274A6E080E371B1662BF1FDC261E0C3B8FF8CFD955B11BB0705D5343DF2083069A37596D
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........@~g............4...............H...........<.......................`.......8...........T............@.............. ............ ..............................................................................eJ....... ......GenuineIntel............T............@~g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF4.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8268
Entropy (8bit):	3.689165607661444
Encrypted:	false
SSDEEP:	192:R6l7wVeJUi6T6YEIrSUvJ9njgmfiVepDO89bctsfR0m:R6lXJh6T6YEkSUvJ9jgmfiOcmf3
MD5:	C855B9E122E83B9E304CE72838C7C12C
SHA1:	69AF6A7A7EBC35705DBA25562B99320415E5964E
SHA-256:	0F88339AEE023D722BDD9256F66193D3B46B7FD8AC1429FEFD0606D557EB4314
SHA-512:	A5F7804A729C82451A2609F68BADF48F7459283185E186F4006D4D67D88ABB987C26C96B172E4431B3A0DF8BFFBBE03EA469F2CBD589480428C706EE7032965D
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.1.2.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF14.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4530
Entropy (8bit):	4.416119817647182
Encrypted:	false
SSDEEP:	48:cvIwWl8zsVJg77aI9BGWpW8VYmYm8M4JVIFJK+q841XZz5wd:uIjfvI7/H7VOJ73Zz5wd
MD5:	8A3E396DFADD49A1E6976CF7D0C43640
SHA1:	4BCD99379926B8E1FA5002961535D320170F8416
SHA-256:	6EE929AEE54A3F8164C119440FFEBD7C65C0E809101DD3A10C4AACAB5F2F23A2
SHA-512:	ABFE30A24EE580644E35EA46BB36E8FA06F30611D686642572D7E7813C8EFA9CFFBD2DDAF36D3CC011096A12AD9BC527B4FFD622ADB9C81A0B9FE36597BD4E61
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="666731" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421305751199113
Encrypted:	false
SSDEEP:	6144:iSvfpi6ceLP/9skLmb0OTuWSPHaJG8nAgeMZMMhA2fX4WABlEnNZ0uhiTw:xvloTuW+EZMM6DFyH03w
MD5:	94F26C382392BFBF861283753839A0DA
SHA1:	BB7C78EEF71D38190AC6DCA61FD0FDE64744562E
SHA-256:	CEA61EE3D06B6EFFC515D78E2D7A5F1312156818590AA0473C8B76B5A2CCC5E1
SHA-512:	80AE1371BD0AA59DFE4836A46E94BF8F074F3318C796FFFA485CCF3C4EFF0256D818064DDDE7CD24BB220D3FEE03EEA4228409EC317735F627B40F483EDA4D37
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.+..a..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.034951190206485
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	asd.exe
File size:	429'568 bytes
MD5:	48ae927ff130dd0e9883d41a9cdf6514
SHA1:	9afa190d5e46e32aec767e2f3d366e268ce5b0ce
SHA256:	e6c75ba5d611e79d680ea437a8d874d2d001003fd2297c0f20f1ed06471bc002
SHA512:	741a3c0f7cd84df552beda05fc119c2331591756af1ed6108bc65c4c10c8da35126958e6d6cdf541949c5286d03fe26d746c8d136853424aa0c84b488f27dc3a
SSDEEP:	6144:kuDOb4DK/BL8N43LPLG/9MnZLFvISFyxjHUAwkSP8:DD04GpoNcL6/QZLFvIbxj
TLSH:	1694E12276E2C073E9A541B48875C6B41ABAB8700B2559C77FD44BAD8F352D3CF3634A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........nKK..%...%...%..]....%..]....%..]..1.%...^...%...$.0.%..]....%..]....%..]....%.Rich..%.................PE..L...e.Kf...........

File Icon


Icon Hash:	322f25971d1945d4

Static PE Info

General

Entrypoint:	0x40871b
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x664BCC65 [Mon May 20 22:19:17 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	c00735f05d13fd7a2bf1a7281832b72f

Entrypoint Preview

Instruction
call 00007FC29C7E3DD7h
jmp 00007FC29C7DBFEEh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov eax, dword ptr [00460468h]
xor eax, ebp
mov dword ptr [ebp-04h], eax
test byte ptr [00460144h], 00000001h
push esi
je 00007FC29C7DC17Ah
push 0000000Ah
call 00007FC29C7E369Bh
pop ecx
call 00007FC29C7E3E91h
test eax, eax
je 00007FC29C7DC17Ah
push 00000016h
call 00007FC29C7E3E93h
pop ecx
test byte ptr [00460144h], 00000002h
je 00007FC29C7DC240h
mov dword ptr [ebp-00000220h], eax
mov dword ptr [ebp-00000224h], ecx
mov dword ptr [ebp-00000228h], edx
mov dword ptr [ebp-0000022Ch], ebx
mov dword ptr [ebp-00000230h], esi
mov dword ptr [ebp-00000234h], edi
mov word ptr [ebp-00000208h], ss
mov word ptr [ebp-00000214h], cs
mov word ptr [ebp-00000238h], ds
mov word ptr [ebp-0000023Ch], es
mov word ptr [ebp-00000240h], fs
mov word ptr [ebp-00000244h], gs
pushfd
pop dword ptr [ebp-00000210h]
mov esi, dword ptr [ebp+04h]
lea eax, dword ptr [ebp+04h]
mov dword ptr [ebp-0000020Ch], eax
mov dword ptr [ebp-000002D0h], 00010001h
mov dword ptr [ebp-00000218h], esi
mov eax, dword ptr [eax-04h]
push 00000050h
mov dword ptr [ebp+000000E4h], eax

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[C++] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5f1b0	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6c000	0x39d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3800	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1b8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5ebbc	0x5ec00	033681e26b03fbb728c9394a751fb81a	False	0.6129282445580475	data	6.358310341480352	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x60000	0xb1c8	0x6400	1d60d2113d8df8266207369daaa8b9a5	False	0.0913671875	data	1.243243884631685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6c000	0x39d8	0x3a00	d2832ef54939f629469d513c55ae64b1	False	0.39587823275862066	data	3.6541868796489205	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x6c1e0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Tamil	India	0.33122119815668205
RT_ICON	0x6c1e0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Tamil	Sri Lanka	0.33122119815668205
RT_ICON	0x6c8a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Tamil	India	0.3655601659751037
RT_ICON	0x6c8a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Tamil	Sri Lanka	0.3655601659751037
RT_ICON	0x6ee50	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Tamil	India	0.6595744680851063
RT_ICON	0x6ee50	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Tamil	Sri Lanka	0.6595744680851063
RT_STRING	0x6f540	0x496	data	Tamil	India	0.4454855195911414
RT_STRING	0x6f540	0x496	data	Tamil	Sri Lanka	0.4454855195911414
RT_ACCELERATOR	0x6f2e8	0x50	data	Tamil	India	0.825
RT_ACCELERATOR	0x6f2e8	0x50	data	Tamil	Sri Lanka	0.825
RT_GROUP_ICON	0x6f2b8	0x30	data	Tamil	India	0.9375
RT_GROUP_ICON	0x6f2b8	0x30	data	Tamil	Sri Lanka	0.9375
RT_VERSION	0x6f338	0x208	data			0.5384615384615384

Imports

DLL

Import

KERNEL32.dll

GetComputerNameA, EnumCalendarInfoA, WriteConsoleInputW, TlsGetValue, SetComputerNameExA, InterlockedDecrement, GetCurrentProcess, GetLogicalDriveStringsW, InterlockedCompareExchange, WriteConsoleInputA, FreeEnvironmentStringsA, GetModuleHandleW, FindNextVolumeMountPointA, CancelDeviceWakeupRequest, EnumTimeFormatsA, LoadLibraryW, ReadConsoleInputA, GetCalendarInfoW, GetVersionExW, GetFileAttributesA, FindNextVolumeW, GetShortPathNameA, VerifyVersionInfoW, GetLastError, GetCurrentDirectoryW, SetLastError, GetProcAddress, VirtualAlloc, CreateJobSet, CopyFileA, SetFileAttributesA, GetTempFileNameA, GetAtomNameA, LoadLibraryA, InterlockedExchangeAdd, SetCalendarInfoW, OpenEventA, GetCommMask, EnumDateFormatsA, GlobalUnWire, GetDiskFreeSpaceExW, EnumCalendarInfoExA, LCMapStringW, GetVolumeInformationW, InterlockedIncrement, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, HeapFree, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetStartupInfoW, RtlUnwind, RaiseException, LCMapStringA, WideCharToMultiByte, MultiByteToWideChar, GetCPInfo, HeapAlloc, HeapCreate, VirtualFree, HeapReAlloc, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, ReadFile, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, SetFilePointer, CloseHandle, ExitProcess, WriteFile, GetModuleFileNameA, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapSize, GetACP, GetOEMCP, IsValidCodePage, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, GetStringTypeA, GetStringTypeW, InitializeCriticalSectionAndSpinCount, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, GetLocaleInfoW, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Tamil	India
Tamil	Sri Lanka

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-08T10:08:55.124061+0100	2058039	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brendon-sharjen .biz)	1	192.168.2.5	51699	1.1.1.1	53	UDP
2025-01-08T10:08:55.136099+0100	2058222	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz)	1	192.168.2.5	56649	1.1.1.1	53	UDP
2025-01-08T10:08:55.162090+0100	2058214	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz)	1	192.168.2.5	54581	1.1.1.1	53	UDP
2025-01-08T10:08:55.172916+0100	2058220	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz)	1	192.168.2.5	52583	1.1.1.1	53	UDP
2025-01-08T10:08:55.194566+0100	2058218	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz)	1	192.168.2.5	60744	1.1.1.1	53	UDP
2025-01-08T10:08:55.208163+0100	2058216	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz)	1	192.168.2.5	57137	1.1.1.1	53	UDP
2025-01-08T10:08:55.220529+0100	2058236	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou)	1	192.168.2.5	61799	1.1.1.1	53	UDP
2025-01-08T10:08:55.231855+0100	2058210	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou)	1	192.168.2.5	49789	1.1.1.1	53	UDP
2025-01-08T10:08:55.250757+0100	2058226	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou)	1	192.168.2.5	65134	1.1.1.1	53	UDP
2025-01-08T10:08:55.929255+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49704	104.102.49.254	443	TCP
2025-01-08T10:08:56.442985+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.5	49704	104.102.49.254	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 10:08:55.274775028 CET	49704	443	192.168.2.5	104.102.49.254
Jan 8, 2025 10:08:55.274812937 CET	443	49704	104.102.49.254	192.168.2.5
Jan 8, 2025 10:08:55.274899960 CET	49704	443	192.168.2.5	104.102.49.254
Jan 8, 2025 10:08:55.275950909 CET	49704	443	192.168.2.5	104.102.49.254
Jan 8, 2025 10:08:55.275964975 CET	443	49704	104.102.49.254	192.168.2.5
Jan 8, 2025 10:08:55.929181099 CET	443	49704	104.102.49.254	192.168.2.5
Jan 8, 2025 10:08:55.929255009 CET	49704	443	192.168.2.5	104.102.49.254
Jan 8, 2025 10:08:55.938666105 CET	49704	443	192.168.2.5	104.102.49.254
Jan 8, 2025 10:08:55.938689947 CET	443	49704	104.102.49.254	192.168.2.5
Jan 8, 2025 10:08:55.938966990 CET	443	49704	104.102.49.254	192.168.2.5
Jan 8, 2025 10:08:55.980026007 CET	49704	443	192.168.2.5	104.102.49.254
Jan 8, 2025 10:08:56.017899036 CET	49704	443	192.168.2.5	104.102.49.254
Jan 8, 2025 10:08:56.059331894 CET	443	49704	104.102.49.254	192.168.2.5
Jan 8, 2025 10:08:56.443021059 CET	443	49704	104.102.49.254	192.168.2.5
Jan 8, 2025 10:08:56.443047047 CET	443	49704	104.102.49.254	192.168.2.5
Jan 8, 2025 10:08:56.443074942 CET	443	49704	104.102.49.254	192.168.2.5
Jan 8, 2025 10:08:56.443087101 CET	443	49704	104.102.49.254	192.168.2.5
Jan 8, 2025 10:08:56.443095922 CET	49704	443	192.168.2.5	104.102.49.254
Jan 8, 2025 10:08:56.443109035 CET	443	49704	104.102.49.254	192.168.2.5
Jan 8, 2025 10:08:56.443124056 CET	443	49704	104.102.49.254	192.168.2.5
Jan 8, 2025 10:08:56.443139076 CET	49704	443	192.168.2.5	104.102.49.254
Jan 8, 2025 10:08:56.443164110 CET	49704	443	192.168.2.5	104.102.49.254
Jan 8, 2025 10:08:56.530066967 CET	443	49704	104.102.49.254	192.168.2.5
Jan 8, 2025 10:08:56.530101061 CET	443	49704	104.102.49.254	192.168.2.5
Jan 8, 2025 10:08:56.530165911 CET	443	49704	104.102.49.254	192.168.2.5
Jan 8, 2025 10:08:56.530205965 CET	49704	443	192.168.2.5	104.102.49.254
Jan 8, 2025 10:08:56.530371904 CET	49704	443	192.168.2.5	104.102.49.254
Jan 8, 2025 10:08:56.568409920 CET	49704	443	192.168.2.5	104.102.49.254
Jan 8, 2025 10:08:56.568423033 CET	443	49704	104.102.49.254	192.168.2.5
Jan 8, 2025 10:08:56.568435907 CET	49704	443	192.168.2.5	104.102.49.254
Jan 8, 2025 10:08:56.568443060 CET	443	49704	104.102.49.254	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 10:08:55.124061108 CET	51699	53	192.168.2.5	1.1.1.1
Jan 8, 2025 10:08:55.133050919 CET	53	51699	1.1.1.1	192.168.2.5
Jan 8, 2025 10:08:55.136099100 CET	56649	53	192.168.2.5	1.1.1.1
Jan 8, 2025 10:08:55.145030022 CET	53	56649	1.1.1.1	192.168.2.5
Jan 8, 2025 10:08:55.162090063 CET	54581	53	192.168.2.5	1.1.1.1
Jan 8, 2025 10:08:55.170597076 CET	53	54581	1.1.1.1	192.168.2.5
Jan 8, 2025 10:08:55.172915936 CET	52583	53	192.168.2.5	1.1.1.1
Jan 8, 2025 10:08:55.182410002 CET	53	52583	1.1.1.1	192.168.2.5
Jan 8, 2025 10:08:55.194566011 CET	60744	53	192.168.2.5	1.1.1.1
Jan 8, 2025 10:08:55.206126928 CET	53	60744	1.1.1.1	192.168.2.5
Jan 8, 2025 10:08:55.208163023 CET	57137	53	192.168.2.5	1.1.1.1
Jan 8, 2025 10:08:55.218271971 CET	53	57137	1.1.1.1	192.168.2.5
Jan 8, 2025 10:08:55.220529079 CET	61799	53	192.168.2.5	1.1.1.1
Jan 8, 2025 10:08:55.229655981 CET	53	61799	1.1.1.1	192.168.2.5
Jan 8, 2025 10:08:55.231854916 CET	49789	53	192.168.2.5	1.1.1.1
Jan 8, 2025 10:08:55.248667002 CET	53	49789	1.1.1.1	192.168.2.5
Jan 8, 2025 10:08:55.250756979 CET	65134	53	192.168.2.5	1.1.1.1
Jan 8, 2025 10:08:55.260174990 CET	53	65134	1.1.1.1	192.168.2.5
Jan 8, 2025 10:08:55.262362003 CET	51844	53	192.168.2.5	1.1.1.1
Jan 8, 2025 10:08:55.269923925 CET	53	51844	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2025 10:08:55.124061108 CET	192.168.2.5	1.1.1.1	0x828b	Standard query (0)	brendon-sharjen.biz	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:08:55.136099100 CET	192.168.2.5	1.1.1.1	0x48a3	Standard query (0)	immureprech.biz	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:08:55.162090063 CET	192.168.2.5	1.1.1.1	0x54f4	Standard query (0)	deafeninggeh.biz	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:08:55.172915936 CET	192.168.2.5	1.1.1.1	0x2ed6	Standard query (0)	effecterectz.xyz	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:08:55.194566011 CET	192.168.2.5	1.1.1.1	0x5da	Standard query (0)	diffuculttan.xyz	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:08:55.208163023 CET	192.168.2.5	1.1.1.1	0xc0a3	Standard query (0)	debonairnukk.xyz	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:08:55.220529079 CET	192.168.2.5	1.1.1.1	0x97d0	Standard query (0)	wrathful-jammy.cyou	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:08:55.231854916 CET	192.168.2.5	1.1.1.1	0x7da1	Standard query (0)	awake-weaves.cyou	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:08:55.250756979 CET	192.168.2.5	1.1.1.1	0x56fe	Standard query (0)	sordid-snaked.cyou	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:08:55.262362003 CET	192.168.2.5	1.1.1.1	0xbd36	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 8, 2025 10:08:55.133050919 CET	1.1.1.1	192.168.2.5	0x828b	Name error (3)	brendon-sharjen.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:08:55.145030022 CET	1.1.1.1	192.168.2.5	0x48a3	Name error (3)	immureprech.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:08:55.170597076 CET	1.1.1.1	192.168.2.5	0x54f4	Name error (3)	deafeninggeh.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:08:55.182410002 CET	1.1.1.1	192.168.2.5	0x2ed6	Name error (3)	effecterectz.xyz	none	none	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:08:55.206126928 CET	1.1.1.1	192.168.2.5	0x5da	Name error (3)	diffuculttan.xyz	none	none	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:08:55.218271971 CET	1.1.1.1	192.168.2.5	0xc0a3	Name error (3)	debonairnukk.xyz	none	none	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:08:55.229655981 CET	1.1.1.1	192.168.2.5	0x97d0	Name error (3)	wrathful-jammy.cyou	none	none	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:08:55.248667002 CET	1.1.1.1	192.168.2.5	0x7da1	Name error (3)	awake-weaves.cyou	none	none	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:08:55.260174990 CET	1.1.1.1	192.168.2.5	0x56fe	Name error (3)	sordid-snaked.cyou	none	none	A (IP address)	IN (0x0001)	false
Jan 8, 2025 10:08:55.269923925 CET	1.1.1.1	192.168.2.5	0xbd36	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	104.102.49.254	443	4124	C:\Users\user\Desktop\asd.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 09:08:56 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2025-01-08 09:08:56 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Wed, 08 Jan 2025 09:08:56 GMT Content-Length: 25665 Connection: close Set-Cookie: sessionid=b95b21e4af153b8c7d622a80; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2025-01-08 09:08:56 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2025-01-08 09:08:56 UTC	11186	IN	Data Raw: 3f 6c 3d 6b 6f 72 65 61 6e 61 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6b 6f 72 65 61 6e 61 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e ed 95 9c ea b5 ad ec 96 b4 20 28 4b 6f 72 65 61 6e 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ?l=koreana" onclick="ChangeLanguage( 'koreana' ); return false;"> (Korean)</a><a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a>

Target ID:	0
Start time:	04:08:53
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\asd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\asd.exe"
Imagebase:	0x400000
File size:	429'568 bytes
MD5 hash:	48AE927FF130DD0E9883D41A9CDF6514
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2209463629.00000000004A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:08:55
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 1004
Imagebase:	0xba0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	30.8%
Signature Coverage:	41.8%
Total number of Nodes:	91
Total number of Limit Nodes:	9

Executed Functions

Function 00408690 Relevance: 7.7, APIs: 5, Instructions: 232
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 0040875C
GetCurrentThreadId.KERNEL32 ref: 00408766
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 0040881A
GetForegroundWindow.USER32 ref: 0040882F

Part of subcall function 0040C7C0: CoInitializeEx.OLE32(00000000,00000002), ref: 0040C7D3

ExitProcess.KERNEL32 ref: 0040897D

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundInitializePathSpecialThreadWindow
String ID:
API String ID: 3701390975-0
Opcode ID: 6f01f4c473d27c53117c7d91c6c64f4699996434ba42708545078dbd7f523eaa
Instruction ID: 95a317e480a2d5aee24c8289397fe20c0d36a0d3d156f7a702bff1b1a220e471
Opcode Fuzzy Hash: 6f01f4c473d27c53117c7d91c6c64f4699996434ba42708545078dbd7f523eaa
Instruction Fuzzy Hash: E5713873F047105BC318EF6DCD4236AB6D6ABC4714F1E813EA899EB3D5E9788C058685

Function 004A0C15 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 004A0C3D
Module32First.KERNEL32(00000000,00000224), ref: 004A0C5D

Memory Dump Source

Source File: 00000000.00000002.2209463629.00000000004A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_asd.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 40f6dad83af472ea9c820c8acba2c18081616562d6756084ced35fffcbf3aba5
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: D1F0C2365007146BD7243BB5988CAABB2ECEF5A734F10062EE642911C0DA78E8458669

Function 0040AE60 Relevance: 3.0, Strings: 2, Instructions: 493
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

EG, xrefs: 0040B079
!A, xrefs: 0040AF21

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: !A$EG
API String ID: 0-3010525424
Opcode ID: 5868d1a9f01961c861420319a8932086734e137bf12078e9a8a7b6f5e4e76fb4
Instruction ID: 9bba307de7b439d5234207c067d36bc121b452030387a0c090fe3242c058a592
Opcode Fuzzy Hash: 5868d1a9f01961c861420319a8932086734e137bf12078e9a8a7b6f5e4e76fb4
Instruction Fuzzy Hash: B61297B5101B41DFD3248F25EC41B97BBF5FB8A304F158A2CD1AA8B6A1DB74A441CF58

Function 00439BE8 Relevance: 2.7, Strings: 2, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

rq[P, xrefs: 00439C6B
nq[P, xrefs: 00439BF1

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID: InitializeThunk
String ID: nq[P$rq[P
API String ID: 2994545307-2909691123
Opcode ID: 6284779297c15d92aad6113c9a59f44f615f4a62402be2677d1ef626f2a7c62b
Instruction ID: b607d9503db8f49fc5eb3f4a9d08a94e19dddf56f676e5841e6c9b2ad61a41b1
Opcode Fuzzy Hash: 6284779297c15d92aad6113c9a59f44f615f4a62402be2677d1ef626f2a7c62b
Instruction Fuzzy Hash: A451E536E501558FDB18CF28CC815BEB763FBC9310F2A5269D592A7356CB78AC02C798

Function 00439AF0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0043BC68,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 00439B1E

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0043A55A Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

tCp, xrefs: 0043A676

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: tCp
API String ID: 0-2136114535
Opcode ID: 165ce531d4ef642d5d1eb005d4b78d7438d0aee2ceb65d8f42d6d114adf30906
Instruction ID: 8ca1db712a8936c7bbe518f80726e82080a1a7cbdad8fa7e82843f49716c0d50
Opcode Fuzzy Hash: 165ce531d4ef642d5d1eb005d4b78d7438d0aee2ceb65d8f42d6d114adf30906
Instruction Fuzzy Hash: E951F1706502118FDB18CF64C862B7AB7B2FF99314F09916DD0819B3A1E379C811CB89

Function 0040B9AF Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

[\, xrefs: 0040BAAA

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: [\
API String ID: 0-2051771327
Opcode ID: ecd83d49e737039969fc9a01a5a5ccd7361e12d91337dd1d4edd54560e481326
Instruction ID: f290e286d1db89940dca0d31b2f2e558d002c586b0422b28c9512835a9c7afd1
Opcode Fuzzy Hash: ecd83d49e737039969fc9a01a5a5ccd7361e12d91337dd1d4edd54560e481326
Instruction Fuzzy Hash: 67414432F183505FD364CAA49CC175BFB92EBE1204F29953CE9C9A7351D2759C068B89

Function 00439F2D Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1f5a67ce6aa6379d798783bf794e502b8216415052f7ec47ae8ae9f1f86cc681
Instruction ID: 4e15c756d994f331d68d7bacd99d09935940be0335b617cdea25940d6d1f2630
Opcode Fuzzy Hash: 1f5a67ce6aa6379d798783bf794e502b8216415052f7ec47ae8ae9f1f86cc681
Instruction Fuzzy Hash: BA21E735A545159BDB14CF54CC42B7EB3B2FB89314F299264E411B72D8D7B9AC02CB88

Function 0063003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0063024D

Strings

cess, xrefs: 0063018D
kernel32.dll, xrefs: 0063008F, 00630095

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 8f69342a498a25bf33f9362e99804d6d805f6cc08e10f7a952bbbdd345a8224a
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: AF527874A00229DFDB64CF58C995BA8BBB1BF09314F1480D9E90DAB351DB30AE89DF54

Function 00630E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,00630223,?,?), ref: 00630E19
SetErrorMode.KERNELBASE(00000000,?,?,00630223,?,?), ref: 00630E1E

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 4b3f2dadeb50f47f9dffb3410bc12ca49dcb814039e7263dfb2ecc5297b295b0
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 9ED0123124512877D7003A94DC09BCD7B1CDF05B62F008411FB0DD9180C770994046E5

Function 00439A90 Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,0040B516,?,00000001), ref: 00439AC2

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d39d4d60aea40f19f4d7dbe00462a8e204f18f73e25999cc7386371eda7babf3
Instruction ID: 612a1062ed1f1db908cdb5b63e9ddfbb05803f5438dd93a395e634c9b14bd9d6
Opcode Fuzzy Hash: d39d4d60aea40f19f4d7dbe00462a8e204f18f73e25999cc7386371eda7babf3
Instruction Fuzzy Hash: 6BE02B36418651ABC6006B387C06B1B7674EFCA750F06097AF50196125DB39E801C59E

Function 0040A6E4 Relevance: 1.5, APIs: 1, Instructions: 23
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202), ref: 0040A718

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 38c488f27837c046cd8dfc5d7dee0bc366b826b19d8fe4625c96c62542086e42
Instruction ID: b8192b8450aac6728c6f68484daea1d998956f682be5a9ca4c19e41291b574a4
Opcode Fuzzy Hash: 38c488f27837c046cd8dfc5d7dee0bc366b826b19d8fe4625c96c62542086e42
Instruction Fuzzy Hash: 2DE0203B980320B7D3285790EC0BE1D3521D7D6705B098229ED14227F7F3440D1581D7

Function 0043A412 Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043A423

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 86de71086fb4d2dfaa2aef877f1d185c5641fb718cdf39f7fb99ca4d68b06ccf
Instruction ID: 721be64323d42d4027c08c88b15ce3ccc8d8dcf79ff388a416bbbbc10fdaf684
Opcode Fuzzy Hash: 86de71086fb4d2dfaa2aef877f1d185c5641fb718cdf39f7fb99ca4d68b06ccf
Instruction Fuzzy Hash: F6E08C7DA40404CFCB00CF64E8914683371FB0E304B14107AE603D7322D7316809CB18

Function 004380E0 Relevance: 1.5, APIs: 1, Instructions: 13
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?,00439ADB,?,0040B516,?,00000001), ref: 004380FE

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: dba73c507b58ea9f394ef8f243ab26572587b18630f8d85050724d3fb43c1e22
Instruction ID: 8601168786658fa2b0167f8fdbc250b6e85e6bd354350f2a61f82faff9543f43
Opcode Fuzzy Hash: dba73c507b58ea9f394ef8f243ab26572587b18630f8d85050724d3fb43c1e22
Instruction Fuzzy Hash: 33D01235445522EBCA102F14FC0AB8B7B54EF4A721F0344B2B500AF072C775DC91CAD8

Function 004380B0 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,00000000), ref: 004380BA

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: dfa9bcdcf4992effd9ebc96b3b68172bd96eb1e6feaa9f1728678ead5c2ba133
Instruction ID: 619cd3f0a1d579054a44b95f095a6da8aabd5bd483f4f5c16aff5eb9f323e829
Opcode Fuzzy Hash: dfa9bcdcf4992effd9ebc96b3b68172bd96eb1e6feaa9f1728678ead5c2ba133
Instruction Fuzzy Hash: B7B00234145515B9E57117115CD5F7F1D6CDF43E9DF600054B208180D146545442D57D

Function 004A08D4 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 004A0925

Memory Dump Source

Source File: 00000000.00000002.2209463629.00000000004A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a0000_asd.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 2f7faa87156de29124a65fb638c2537f62d90fcb473bbff8854de04431a5634e
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: FC116C79A00208EFDB01DF98C985E89BFF5AF08351F058095F9489B362D375EA50DF80

Non-executed Functions

Function 00412010 Relevance: 110.8, Strings: 87, Instructions: 2050COMMON

Download Yara Rule

Strings

B, xrefs: 00412E3B
~, xrefs: 004138A1
e, xrefs: 004131CA
D, xrefs: 00414053
., xrefs: 00413182
\, xrefs: 00412A4C
p, xrefs: 004127D6
C, xrefs: 00413F3F
D, xrefs: 00412E31
J, xrefs: 00412826
P, xrefs: 004122D9
c, xrefs: 004131BA
B, xrefs: 00413F44
H, xrefs: 004137D9
A, xrefs: 00414062
B, xrefs: 00413A0E
d, xrefs: 00412D22
D, xrefs: 00413D69
%, xrefs: 004122D4
Z, xrefs: 00412A56
o, xrefs: 004133A3
K, xrefs: 004134D9
x, xrefs: 00413871
A, xrefs: 00413D78
B, xrefs: 00413D73
P, xrefs: 004133A8
A, xrefs: 00412E43
3, xrefs: 00412634
Y, xrefs: 00412A51
a, xrefs: 00412D0A
4, xrefs: 004127DE
s, xrefs: 004137C9
v, xrefs: 00412B90
A, xrefs: 00413A13
r, xrefs: 00412BB0
i, xrefs: 004131EA
k, xrefs: 004131FA
D, xrefs: 00413A04
$, xrefs: 00413751
", xrefs: 00413741
C, xrefs: 00412E36
+, xrefs: 004127CE
%, xrefs: 004127FE
C, xrefs: 00413C5E
., xrefs: 00412CF2
T, xrefs: 00413529
A, xrefs: 00413C6E
t, xrefs: 004127F6
H, xrefs: 00412816
r, xrefs: 004120F7
C, xrefs: 00413A09
[, xrefs: 00412A5B
B, xrefs: 00413C66
L, xrefs: 00413BA2
o, xrefs: 00413829
|, xrefs: 00413891
z, xrefs: 00413881
m, xrefs: 0041320A
a, xrefs: 004131AA
C, xrefs: 00414058
C, xrefs: 00413D6E
D, xrefs: 00413962
r, xrefs: 004127E6
~, xrefs: 004127C6
Q, xrefs: 004133AD
., xrefs: 004127EE
v, xrefs: 00412806
c, xrefs: 00412D1A
&, xrefs: 00413761
p, xrefs: 004138B1
e, xrefs: 00412D2A
l, xrefs: 00413202
D, xrefs: 00413C56
r, xrefs: 00412CE2
+, xrefs: 00413192
g, xrefs: 004131DA
, xrefs: 00413731
L, xrefs: 00412836
D, xrefs: 00413F3A
K, xrefs: 0041282E
, xrefs: 00412C3F
B, xrefs: 0041405D
Q, xrefs: 0041206D
D, xrefs: 00413E8A
`, xrefs: 00412DC3
H, xrefs: 0041304E
A, xrefs: 00413F49

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: $ $"$$$%$%$&$+$+$.$.$.$3$4$A$A$A$A$A$A$B$B$B$B$B$B$C$C$C$C$C$C$D$D$D$D$D$D$D$D$H$H$H$J$K$K$L$L$P$P$Q$Q$T$Y$Z$[$\$`$a$a$c$c$d$e$e$g$i$k$l$m$o$o$p$p$r$r$r$r$s$t$v$v$x$z$|$~$~
API String ID: 0-1347705104
Opcode ID: 2b0cb98ecaacb337a315f3a8ad1e6edd116aa46fdf61f100ef413c42e1cb8cd4
Instruction ID: 5247b736cec1ace8f2ead6485fecf5c8bb33a1d48f45eef8b81bfa453b640866
Opcode Fuzzy Hash: 2b0cb98ecaacb337a315f3a8ad1e6edd116aa46fdf61f100ef413c42e1cb8cd4
Instruction Fuzzy Hash: E8139D3160C7C18AD334CB38C44539FBBE1ABD6324F188A6EE4D9873D2D6B989858757

Function 00642277 Relevance: 110.8, Strings: 87, Instructions: 2050COMMON

Download Yara Rule

Strings

z, xrefs: 00643AE8
C, xrefs: 00643EC5
C, xrefs: 0064309D
D, xrefs: 006440F1
D, xrefs: 00643BC9
, xrefs: 00642EA6
[, xrefs: 00642CC2
B, xrefs: 006441AB
c, xrefs: 00643421
4, xrefs: 00642A45
A, xrefs: 006441B0
L, xrefs: 00643E09
B, xrefs: 006442C4
B, xrefs: 00643ECD
Z, xrefs: 00642CBD
i, xrefs: 00643451
., xrefs: 00642F59
+, xrefs: 006433F9
P, xrefs: 0064360F
p, xrefs: 00642A3D
v, xrefs: 00642A6D
B, xrefs: 00643C75
o, xrefs: 00643A90
L, xrefs: 00642A9D
D, xrefs: 00643098
A, xrefs: 00643ED5
Q, xrefs: 006422D4
~, xrefs: 00642A2D
A, xrefs: 00643FDF
D, xrefs: 006442BA
A, xrefs: 006430AA
K, xrefs: 00643740
t, xrefs: 00642A5D
P, xrefs: 00642540
A, xrefs: 00643C7A
D, xrefs: 00643EBD
\, xrefs: 00642CB3
B, xrefs: 006430A2
T, xrefs: 00643790
K, xrefs: 00642A95
H, xrefs: 006432B5
r, xrefs: 0064235E
d, xrefs: 00642F89
+, xrefs: 00642A35
$, xrefs: 006439B8
D, xrefs: 00643FD0
C, xrefs: 00643C70
%, xrefs: 00642A65
c, xrefs: 00642F81
&, xrefs: 006439C8
x, xrefs: 00643AD8
Y, xrefs: 00642CB8
a, xrefs: 00642F71
3, xrefs: 0064289B
k, xrefs: 00643461
%, xrefs: 0064253B
, xrefs: 00643998
B, xrefs: 00643FDA
r, xrefs: 00642A4D
l, xrefs: 00643469
J, xrefs: 00642A8D
D, xrefs: 00643C6B
e, xrefs: 00643431
r, xrefs: 00642F49
p, xrefs: 00643B18
r, xrefs: 00642E17
A, xrefs: 006442C9
s, xrefs: 00643A30
C, xrefs: 00643FD5
~, xrefs: 00643B08
C, xrefs: 006442BF
`, xrefs: 0064302A
v, xrefs: 00642DF7
C, xrefs: 006441A6
a, xrefs: 00643411
D, xrefs: 006441A1
Q, xrefs: 00643614
m, xrefs: 00643471
H, xrefs: 00643A40
H, xrefs: 00642A7D
., xrefs: 006433E9
e, xrefs: 00642F91
|, xrefs: 00643AF8
., xrefs: 00642A55
o, xrefs: 0064360A
g, xrefs: 00643441
", xrefs: 006439A8

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: $ $"$$$%$%$&$+$+$.$.$.$3$4$A$A$A$A$A$A$B$B$B$B$B$B$C$C$C$C$C$C$D$D$D$D$D$D$D$D$H$H$H$J$K$K$L$L$P$P$Q$Q$T$Y$Z$[$\$`$a$a$c$c$d$e$e$g$i$k$l$m$o$o$p$p$r$r$r$r$s$t$v$v$x$z$|$~$~
API String ID: 0-1347705104
Opcode ID: 820efd2678c4b15d0e51927d3112c194d8d35bfefe62b2f7dd03e423ff7b70e5
Instruction ID: 7ae4ca82a7fe84685dc83b4fd82ac972bc86ecbb94feae4850a0a8058c9e47bb
Opcode Fuzzy Hash: 820efd2678c4b15d0e51927d3112c194d8d35bfefe62b2f7dd03e423ff7b70e5
Instruction Fuzzy Hash: 5D13BD3160C7C18FD335CB38845539FBBE2ABD6324F188A6DE4E987392CA7985468753

Function 00423040 Relevance: 29.5, Strings: 23, Instructions: 789COMMON

Download Yara Rule

Strings

K@, xrefs: 00422E60
D, xrefs: 00422E88
WY, xrefs: 0042307A
AF, xrefs: 00422E67
BC, xrefs: 0042309B
/k+m, xrefs: 00423059
R%z', xrefs: 00423701
DCBA, xrefs: 00423E05
AC, xrefs: 00423815
70B, xrefs: 00422F44
&i>k, xrefs: 004234FC
OI, xrefs: 00423646
23, xrefs: 00423D3C
Y:[, xrefs: 00423580
%', xrefs: 00423878
'oQ, xrefs: 00423064
I], xrefs: 00422E6E
[], xrefs: 00423085
V!U#, xrefs: 004236F6
0m-o, xrefs: 00423507
(), xrefs: 00423713
SU, xrefs: 0042306F
EG, xrefs: 00423549

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: &i>k$'oQ$()$/k+m$0m-o$23$70B$AF$BC$DCBA$I]$K@$OI$R%z'$V!U#$%'$AC$D$EG$SU$WY$Y:[$[]
API String ID: 0-1116524552
Opcode ID: e633ff61d202d6b4148662d20c44ac6b4a09ba08d578d76817aef3ac328ed3e6
Instruction ID: 5ae0d7aeb5625db08fa6c2cd5b71089f930d34bac14ad58b9e84223e250fde3a
Opcode Fuzzy Hash: e633ff61d202d6b4148662d20c44ac6b4a09ba08d578d76817aef3ac328ed3e6
Instruction Fuzzy Hash: B57240B520C3808BD734CF54D842B9FBBF1EB82304F10492DD5A96B256D7B58646CB9B

Function 0040FC0A Relevance: 23.4, Strings: 18, Instructions: 932COMMON

Download Yara Rule

Strings

U, xrefs: 004104BA
3, xrefs: 0040FC94
Z, xrefs: 0040FC1D
DABCD, xrefs: 004105B9
V, xrefs: 004104C2
B, xrefs: 0041038A
O, xrefs: 004101DB
P, xrefs: 004104B2
A, xrefs: 0040FE76
A, xrefs: 00410392
h, xrefs: 0040FD9C
4, xrefs: 00410092
C, xrefs: 00410382
>, xrefs: 0040FC18
D, xrefs: 0041037A
`, xrefs: 0040FE05
+, xrefs: 0041067B
$, xrefs: 0040FFAD

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID: InitializeThunk
String ID: $$+$3$4$>$A$A$B$C$D$DABCD$O$P$U$V$Z$`$h
API String ID: 2994545307-175843415
Opcode ID: f945d3e1a79425627c6da8b51a7c0c57c0184afc728e1034eb687c0ff0b3cf3c
Instruction ID: 483331af4594b857fe0ce6079c8881b492f380997123de76c7c70a9bde850424
Opcode Fuzzy Hash: f945d3e1a79425627c6da8b51a7c0c57c0184afc728e1034eb687c0ff0b3cf3c
Instruction Fuzzy Hash: 2982C57160C7808BD3249B38C4953AFBBE2ABD5314F198A3EE5D9873D1D6788885CB47

Function 0063FE71 Relevance: 23.4, Strings: 18, Instructions: 932COMMON

Download Yara Rule

Strings

D, xrefs: 006405E1
+, xrefs: 006408E2
A, xrefs: 006405F9
h, xrefs: 00640003
U, xrefs: 00640721
3, xrefs: 0063FEFB
C, xrefs: 006405E9
$, xrefs: 00640214
P, xrefs: 00640719
`, xrefs: 0064006C
4, xrefs: 006402F9
B, xrefs: 006405F1
O, xrefs: 00640442
V, xrefs: 00640729
Z, xrefs: 0063FE84
A, xrefs: 006400DD
>, xrefs: 0063FE7F
DABCD, xrefs: 00640820

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: $$+$3$4$>$A$A$B$C$D$DABCD$O$P$U$V$Z$`$h
API String ID: 0-175843415
Opcode ID: 0143e5ed790f289c5e9cc618ea4542ac4f481ae83d486910d535da20e29d74e6
Instruction ID: 5016b1754a0afba3fa4259750098d516c85a3f4eaddf60422d02daabd2f81cf4
Opcode Fuzzy Hash: 0143e5ed790f289c5e9cc618ea4542ac4f481ae83d486910d535da20e29d74e6
Instruction Fuzzy Hash: E382C27260C7908FD3689B38C4953AFBBE2ABC5310F198A6DE5D9C7381DA748945CB43

Function 004231E0 Relevance: 22.0, Strings: 17, Instructions: 715COMMON

Download Yara Rule

Strings

K@, xrefs: 00422E60
D, xrefs: 00422E88
AF, xrefs: 00422E67
R%z', xrefs: 00423701
DCBA, xrefs: 00423E05
AC, xrefs: 00423815
70B, xrefs: 00422F44
&i>k, xrefs: 004234FC
OI, xrefs: 00423646
23, xrefs: 00423D3C
Y:[, xrefs: 00423580
%', xrefs: 00423878
I], xrefs: 00422E6E
V!U#, xrefs: 004236F6
0m-o, xrefs: 00423507
(), xrefs: 00423713
EG, xrefs: 00423549

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: &i>k$()$0m-o$23$70B$AF$DCBA$I]$K@$OI$R%z'$V!U#$%'$AC$D$EG$Y:[
API String ID: 0-3387583146
Opcode ID: 542a29833dba2fc85b0619addcfa35fa684eed0ac199a55b99e0b2fd35d79a3f
Instruction ID: 16013a809c66cbac903f3f4e81f4ba7fd5048d09a6dadcfe65741d29598e0966
Opcode Fuzzy Hash: 542a29833dba2fc85b0619addcfa35fa684eed0ac199a55b99e0b2fd35d79a3f
Instruction Fuzzy Hash: 66722EB520C3808BD734CF24D842B9BBBF1EB92304F50892DD4A96B255D7B58646CB9B

Function 004353A0 Relevance: 21.7, APIs: 10, Strings: 2, Instructions: 681memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0043F68C,00000000,00000001,0043F67C), ref: 00435648
SysAllocString.OLEAUT32(845C8253), ref: 004356CA
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043570A
SysAllocString.OLEAUT32(7E0C7C0C), ref: 00435776
SysAllocString.OLEAUT32(B9FDB705), ref: 00435837
VariantInit.OLEAUT32(4=>?), ref: 004358AD
VariantClear.OLEAUT32(?), ref: 00435A29
SysFreeString.OLEAUT32(?), ref: 00435A51
SysFreeString.OLEAUT32(?), ref: 00435A57
SysFreeString.OLEAUT32(00000000), ref: 00435A68

Strings

4=>?, xrefs: 004353D0
Ri, xrefs: 00435555

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInitInstanceProxy
String ID: 4=>?$Ri
API String ID: 2485776651-1281010762
Opcode ID: 2d229a730f286afc9104f9f8f6d6c0564c3869e555612ab090718a67fbd0f1d6
Instruction ID: 7fd69b617c57492c6cc3a4850a10533796f215261fd1a1bde8e14e6a6fa4f0a4
Opcode Fuzzy Hash: 2d229a730f286afc9104f9f8f6d6c0564c3869e555612ab090718a67fbd0f1d6
Instruction Fuzzy Hash: 64220D72A083109BD310DF68CC81B9BBBE1EFC9314F19892DE985DB391D679D805CB96

Function 00665607 Relevance: 18.2, APIs: 8, Strings: 2, Instructions: 681memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(0043F68C,00000000,00000001,0043F67C), ref: 006658AF
SysAllocString.OLEAUT32(845C8253), ref: 00665931
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00665971
SysAllocString.OLEAUT32(7E0C7C0C), ref: 006659DD
SysAllocString.OLEAUT32(B9FDB705), ref: 00665A9E
VariantInit.OLEAUT32(4=>?), ref: 00665B14
VariantClear.OLEAUT32(?), ref: 00665C90
SysFreeString.OLEAUT32(00000000), ref: 00665CCF

Strings

Ri, xrefs: 006657BC
4=>?, xrefs: 00665637

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID: String$Alloc$Variant$BlanketClearCreateFreeInitInstanceProxy
String ID: 4=>?$Ri
API String ID: 2775254435-1281010762
Opcode ID: fc3acc58aad8c399ce13224aee3e4af4e9b5248e949e360f05429ac816b750fe
Instruction ID: a835f7d0eeeba285a655cf0835d8b73535f3587c971af76619a18f0e0f1800b3
Opcode Fuzzy Hash: fc3acc58aad8c399ce13224aee3e4af4e9b5248e949e360f05429ac816b750fe
Instruction Fuzzy Hash: 4322EC72A087509BD310DF68CC85B9BBBE2EFC5314F18892CE9859B390D679D845CB92

Function 00419490 Relevance: 17.2, APIs: 1, Strings: 8, Instructions: 1409libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00439AF0: LdrInitializeThunk.NTDLL(0043BC68,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 00439B1E

LoadLibraryExW.KERNEL32(B651B452,00000000,00000800), ref: 004198AF

Strings

5Zl, xrefs: 004196CD
DCBA, xrefs: 004194EF
Z\, xrefs: 00419925
5Zl, xrefs: 00419703
DCBA, xrefs: 0041A3C7
[\, xrefs: 00419853
DCBA, xrefs: 004199D9
^P, xrefs: 0041992D

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID: InitializeLibraryLoadThunk
String ID: DCBA$DCBA$DCBA$[\$5Zl$5Zl$Z\$^P
API String ID: 3353482560-3151724278
Opcode ID: b29ca630592a0e44793fd661ff29bd1fb2ea27de8a5e4ba64f7b5fb51b52cd80
Instruction ID: 30ab7f929d8a07dc3d8873c68d2278d649e136490da9de6a5d43bf32cd8d4692
Opcode Fuzzy Hash: b29ca630592a0e44793fd661ff29bd1fb2ea27de8a5e4ba64f7b5fb51b52cd80
Instruction Fuzzy Hash: 1892A8316493409BD720CF64C8857AFB7E2FBD5300F18856EE5859B391D3B99C82CB9A

Function 00420720 Relevance: 16.8, Strings: 13, Instructions: 561COMMON

Download Yara Rule

Strings

DABCD, xrefs: 00420E6F
B, xrefs: 00420C3E
C, xrefs: 00420C39
B, xrefs: 004207BE
!@, xrefs: 00420753
A, xrefs: 00420C43
D, xrefs: 00420C34
D, xrefs: 004207B4
a, xrefs: 004209D5
,, xrefs: 00420CD7
v, xrefs: 00420D72
C, xrefs: 004207B9
A, xrefs: 004207C3

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: !@$,$A$A$B$B$C$C$D$D$DABCD$a$v
API String ID: 0-4069001718
Opcode ID: 298201aeec9fe9a03c193e75407c79c432cc4707fafc5b42be2530ab2259eeb7
Instruction ID: 6c52679abcfbc30870106b065bba07298c4f65f03cefc9d75d065d86b06c63aa
Opcode Fuzzy Hash: 298201aeec9fe9a03c193e75407c79c432cc4707fafc5b42be2530ab2259eeb7
Instruction Fuzzy Hash: 3622027160C3A08FD3248B68D49136FBBE1ABC5314F598A2EE5D687383D6BD8845C74B

Function 00650987 Relevance: 16.8, Strings: 13, Instructions: 561COMMON

Download Yara Rule

Strings

a, xrefs: 00650C3C
,, xrefs: 00650F3E
D, xrefs: 00650A1B
v, xrefs: 00650FD9
B, xrefs: 00650A25
C, xrefs: 00650EA0
A, xrefs: 00650EAA
A, xrefs: 00650A2A
C, xrefs: 00650A20
!@, xrefs: 006509BA
B, xrefs: 00650EA5
D, xrefs: 00650E9B
DABCD, xrefs: 006510D6

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: !@$,$A$A$B$B$C$C$D$D$DABCD$a$v
API String ID: 0-4069001718
Opcode ID: d7b45b41f25deaa0add4abf3ee2d9ab6ca4d138ef485d6dd4fb75f55eb162747
Instruction ID: 4174dc9e977d01674827206a2f5afb11a70fe1041249efb73d8348c8cfc4af87
Opcode Fuzzy Hash: d7b45b41f25deaa0add4abf3ee2d9ab6ca4d138ef485d6dd4fb75f55eb162747
Instruction Fuzzy Hash: 3222E73160C7808FE7648B28C4913AEBBE2ABC6314F184A6DE9D5873C2D779C849C747

Function 004301D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004301E0
GetClipboardData.USER32 ref: 00430201
CloseClipboard.USER32 ref: 00430389

Strings

*, xrefs: 00430291
f, xrefs: 004302D2
\, xrefs: 004302BE

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID: Clipboard$CloseDataOpen
String ID: *$\$f
API String ID: 2058664381-1385958094
Opcode ID: 6d25e50f95a898304c111669f48c34ac81ddc56b2352947e40473fece28f2948
Instruction ID: dfe4f76fb4420d9ddb465b28a3a3b57937e40393ef6313345e12e6993a02e68d
Opcode Fuzzy Hash: 6d25e50f95a898304c111669f48c34ac81ddc56b2352947e40473fece28f2948
Instruction Fuzzy Hash: B551CF7150C3818FD300AFB9D59839FBFE19B95304F194A3EE8C686282D6BC894D9767

Function 004256A0 Relevance: 12.9, APIs: 2, Strings: 5, Instructions: 693COMMON

Download Yara Rule

Strings

bB, xrefs: 004262D1
xMGN, xrefs: 0042625F
rs, xrefs: 0042610C
LoWf, xrefs: 004262B3, 004262B7
dUgS, xrefs: 00426237

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: LoWf$dUgS$rs$xMGN$bB
API String ID: 0-3045209501
Opcode ID: f981c4dd8b53c61b6aa9b9328c3a4ae88762b677551a85af2c2f122bad424416
Instruction ID: 22693ea03f3a30a5c5e52d7106bbfe1719d4fc8d2608bd825c3135a16ad0d625
Opcode Fuzzy Hash: f981c4dd8b53c61b6aa9b9328c3a4ae88762b677551a85af2c2f122bad424416
Instruction Fuzzy Hash: B12244B1A083508FC724DF24D84176FB7E2EBC1314F59897DE9958B392DB789901CB8A

Function 004298A0 Relevance: 12.7, Strings: 10, Instructions: 245COMMON

Download Yara Rule

Strings

n, xrefs: 00429ACE
tYCZ, xrefs: 00429A2A
mtwz, xrefs: 004299DD
UXWZ, xrefs: 00429A35
VM, xrefs: 00429AC4
h, xrefs: 0042995A
rrip, xrefs: 004299E8
VQlJ, xrefs: 00429AAE
NV[K, xrefs: 00429A40
UAPS, xrefs: 00429AA3

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: NV[K$UAPS$UXWZ$VM$VQlJ$h$mtwz$n$rrip$tYCZ
API String ID: 0-3331790720
Opcode ID: 23847872f2627ba97969ec9efbc11b36efa7c93efb836e547c5bc3453f7e3632
Instruction ID: 7741a0428823d80e118f5df9010b1c44a856e0838fbdef6cf153a24b4129b43b
Opcode Fuzzy Hash: 23847872f2627ba97969ec9efbc11b36efa7c93efb836e547c5bc3453f7e3632
Instruction Fuzzy Hash: 0381E0B150D3E18BE331CF25A0907ABBFE1AB96340F28496DC5DD5B342C7791805CB9A

Function 00659B07 Relevance: 12.7, Strings: 10, Instructions: 245COMMON

Download Yara Rule

Strings

VM, xrefs: 00659D2B
NV[K, xrefs: 00659CA7
h, xrefs: 00659BC1
rrip, xrefs: 00659C4F
mtwz, xrefs: 00659C44
tYCZ, xrefs: 00659C91
UAPS, xrefs: 00659D0A
UXWZ, xrefs: 00659C9C
n, xrefs: 00659D35
VQlJ, xrefs: 00659D15

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: NV[K$UAPS$UXWZ$VM$VQlJ$h$mtwz$n$rrip$tYCZ
API String ID: 0-3331790720
Opcode ID: aae7be8f98d5cfcf3df6500fd4fe9ecfd2467fefd35b72326082c59b2f8a4d05
Instruction ID: 1d4b70b6c5e8e55abbbede8f1eacc1b24a443a5e862e3a45b0966b1b7cef995e
Opcode Fuzzy Hash: aae7be8f98d5cfcf3df6500fd4fe9ecfd2467fefd35b72326082c59b2f8a4d05
Instruction Fuzzy Hash: 5A81CCB150D3D28BE331CF2594917EBBBE2AF92300F28496CC9D95B342C7750809CBA6

Function 004265F8 Relevance: 12.0, Strings: 9, Instructions: 705COMMON

Download Yara Rule

Strings

UGBY, xrefs: 00426AC9
~_\H, xrefs: 00426AE1
Q, xrefs: 0042666F
ulB, xrefs: 0042705F
Bmu`, xrefs: 00426A9F, 00426AA3
G_XH, xrefs: 00426AD9
2nB, xrefs: 00426D54
bweM, xrefs: 00426AB1
pmB, xrefs: 00426D10

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: 2nB$Bmu`$G_XH$Q$UGBY$bweM$pmB$ulB$~_\H
API String ID: 0-3564531749
Opcode ID: b0c83b6b8c312ca314d6504e38ffe315437d27dface0e1058c6a3a1f95ab2964
Instruction ID: d2b111bec6e00262cd7d6315126c8ca2ede061ad95bebf9370005d34f1dfac88
Opcode Fuzzy Hash: b0c83b6b8c312ca314d6504e38ffe315437d27dface0e1058c6a3a1f95ab2964
Instruction Fuzzy Hash: A6320E75608391CFD3108F28E88071ABBE1FF8A714F558A6EE4D49B391D778D905CB8A

Function 00409630 Relevance: 11.6, Strings: 9, Instructions: 400COMMON

Download Yara Rule

Strings

/, xrefs: 00409970
dINO, xrefs: 004097EA
j|, xrefs: 00409920
vq, xrefs: 00409930
*$"*, xrefs: 004096B0, 00409776, 00409705
\iPe, xrefs: 004097E2
34, xrefs: 00409998
wy, xrefs: 00409928
*$"*, xrefs: 004099D0

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: *$"*$*$"*$/$34$\iPe$dINO$j|$vq$wy
API String ID: 0-2503078089
Opcode ID: bcf6e07e8729db145a630841b2436792e2e9d57967a13fccd60a43c16f6ba714
Instruction ID: 0a748ab88c072d9ecacf6db472457a042bc4677918580400a89f79172a34eab1
Opcode Fuzzy Hash: bcf6e07e8729db145a630841b2436792e2e9d57967a13fccd60a43c16f6ba714
Instruction Fuzzy Hash: 6EC108716083408FD718DF65C8916AFBBE2EBC2314F14893DF4D19B392D639960ACB56

Function 00639897 Relevance: 11.6, Strings: 9, Instructions: 400COMMON

Download Yara Rule

Strings

vq, xrefs: 00639B97
\iPe, xrefs: 00639A49
*$"*, xrefs: 00639C37
34, xrefs: 00639BFF
dINO, xrefs: 00639A51
/, xrefs: 00639BD7
j|, xrefs: 00639B87
*$"*, xrefs: 0063996C, 00639917, 006399DD
wy, xrefs: 00639B8F

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: *$"*$*$"*$/$34$\iPe$dINO$j|$vq$wy
API String ID: 0-2503078089
Opcode ID: 8ac9da85c74be11f021edaad997e341506a5f24c854bf1e2e6f84df6fbd63d66
Instruction ID: 7e64ccea57eb6e9c6ec8b3748d3ae9162dfc8d219825a9ae926ff37095f3af5c
Opcode Fuzzy Hash: 8ac9da85c74be11f021edaad997e341506a5f24c854bf1e2e6f84df6fbd63d66
Instruction Fuzzy Hash: 18C127716083409FC718DF65C891AAFBBE2EFC2314F14892CF4D18B791D679960ACB56

Function 00415CFC Relevance: 11.5, Strings: 9, Instructions: 295COMMON

Download Yara Rule

Strings

P&@8, xrefs: 00415EAC
xYw[, xrefs: 00415E45
^:B<, xrefs: 00415EB4
D"A$, xrefs: 00415EA4
J6EH, xrefs: 00415ECC
C>X0, xrefs: 00415EBC
D, xrefs: 0041607B
MN, xrefs: 00415EDC
]*N,, xrefs: 00415E94

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: C>X0$D$D"A$$J6EH$MN$P&@8$]*N,$^:B<$xYw[
API String ID: 0-3292156457
Opcode ID: 4b91741d44bbb9e67184f8038f568f639802c141ee01a3d1a354fe95d94435b7
Instruction ID: 97124d278eb741466c8cd62b4a0441a66320b7c9e00ffdc6529f736d705479cb
Opcode Fuzzy Hash: 4b91741d44bbb9e67184f8038f568f639802c141ee01a3d1a354fe95d94435b7
Instruction Fuzzy Hash: 64A18CB0109340CFD3248F14C8A1BABBBF1FF86359F458A5DE4895F2A1E3798945CB5A

Function 00645F63 Relevance: 11.5, Strings: 9, Instructions: 270COMMON

Download Yara Rule

Strings

D, xrefs: 006462E2
]*N,, xrefs: 006460FB
MN, xrefs: 00646143
^:B<, xrefs: 0064611B
J6EH, xrefs: 00646133
P&@8, xrefs: 00646113
D"A$, xrefs: 0064610B
C>X0, xrefs: 00646123
xYw[, xrefs: 006460AC

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: C>X0$D$D"A$$J6EH$MN$P&@8$]*N,$^:B<$xYw[
API String ID: 0-3292156457
Opcode ID: c01f56ac3ccc5e4f1a2a5103a99a4653c78cd46fd9dec3fbbc0c6a9806f020c3
Instruction ID: 844dcbe3abc47e9ac83a7d4a1a01468331200390ad357e0e61e14895ad1f6082
Opcode Fuzzy Hash: c01f56ac3ccc5e4f1a2a5103a99a4653c78cd46fd9dec3fbbc0c6a9806f020c3
Instruction Fuzzy Hash: 60916CB0109340CFD3248F15C4A1BABBBF1FF86359F058A5CE48A5F6A1E3798949CB56

Function 006496F7 Relevance: 11.4, Strings: 8, Instructions: 1409COMMON

Download Yara Rule

Strings

DCBA, xrefs: 0064A62E
5Zl, xrefs: 00649934
5Zl, xrefs: 0064996A
DCBA, xrefs: 00649756
[\, xrefs: 00649ABA
^P, xrefs: 00649B94
DCBA, xrefs: 00649C40
Z\, xrefs: 00649B8C

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: DCBA$DCBA$DCBA$[\$5Zl$5Zl$Z\$^P
API String ID: 0-3151724278
Opcode ID: a5bb96f8fb58afdbd05ec1222b3b21e17be2c577214794ee3ab3d4986997ad14
Instruction ID: d4045a306c8a2d0d6f15556c83cd4a93a98c7e34809b5b3478f1410213df4582
Opcode Fuzzy Hash: a5bb96f8fb58afdbd05ec1222b3b21e17be2c577214794ee3ab3d4986997ad14
Instruction Fuzzy Hash: 55925871A88340ABD720CBA4C885B6FB7E3FBD5700F29856CE5849B391D7719C46CB62

Function 0040E2D5 Relevance: 11.1, APIs: 2, Strings: 5, Instructions: 606COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0040E2E1
CoUninitialize.OLE32 ref: 0040E713

Strings

tr, xrefs: 0040E99E
d<, xrefs: 0040E721
";G, xrefs: 0040E87E
l, xrefs: 0040E9EB
nv, xrefs: 0040E97D

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID: Uninitialize
String ID: ";G$d<$l$nv$tr
API String ID: 3861434553-995644117
Opcode ID: 8677d267741a8d6fd2b04c2b67c7019589f9450b38e70caaeb5818bcc74a52c9
Instruction ID: df48264671a07a49878f384e58ab6bb208ea46f082ef2c8c8ba53de654e0de4f
Opcode Fuzzy Hash: 8677d267741a8d6fd2b04c2b67c7019589f9450b38e70caaeb5818bcc74a52c9
Instruction Fuzzy Hash: 1612AE7550D3D08BD3328F2688906EBBFE1ABD7304F184A6DD4C95B392C73A5909CB96

Function 0063E53C Relevance: 11.1, APIs: 2, Strings: 5, Instructions: 606COMMON

Download Yara Rule

APIs

CoUninitialize.COMBASE ref: 0063E548
CoUninitialize.COMBASE ref: 0063E97A

Strings

";G, xrefs: 0063EAE5
nv, xrefs: 0063EBE4
d<, xrefs: 0063E988
l, xrefs: 0063EC52
tr, xrefs: 0063EC05

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID: ";G$d<$l$nv$tr
API String ID: 3861434553-995644117
Opcode ID: 8677d267741a8d6fd2b04c2b67c7019589f9450b38e70caaeb5818bcc74a52c9
Instruction ID: 3844c52d9c930823c64435244e914fecbba9563ff79ddb7ca6f431b53206d3b3
Opcode Fuzzy Hash: 8677d267741a8d6fd2b04c2b67c7019589f9450b38e70caaeb5818bcc74a52c9
Instruction Fuzzy Hash: D412AF7550D3D08BD3328F2589906DBBFE2ABD7304F184A6CD4D94B392C73A5909CBA6

Function 00424CA0 Relevance: 10.4, Strings: 8, Instructions: 415COMMON

Download Yara Rule

Strings

DCBA, xrefs: 00424F85
AD, xrefs: 00424E26
DCBA, xrefs: 00425184
57, xrefs: 00424D97
1H, xrefs: 00424E1B
wRB, xrefs: 00425265
N>, xrefs: 00424E10
_Z, xrefs: 00424E31

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: 1H$AD$DCBA$DCBA$N>$_Z$wRB$57
API String ID: 0-3524205428
Opcode ID: 701f1c09ff622e89b40d8fc4fcd832d7385bbcf89070960539cfeaf12fd2aec3
Instruction ID: cd4972261fe5019d2e477ec9a586387980cd93902854a39ddc480d70f46f6bef
Opcode Fuzzy Hash: 701f1c09ff622e89b40d8fc4fcd832d7385bbcf89070960539cfeaf12fd2aec3
Instruction Fuzzy Hash: F2D1F0B860C340DFE7209F24E891B6BBBE0FB86704F90596DF5C58B251D7749905CB8A

Function 00417CE5 Relevance: 10.3, Strings: 8, Instructions: 337COMMON

Download Yara Rule

Strings

U, xrefs: 00418027
|&t8, xrefs: 00417D10
d"d$, xrefs: 00417D05
Z\, xrefs: 00417E23
m:i<, xrefs: 00417D1B
L, xrefs: 00417F73
^P, xrefs: 00417E2E
l2r4, xrefs: 00417D31

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: L$U$d"d$$l2r4$m:i<$|&t8$Z\$^P
API String ID: 0-2099673811
Opcode ID: debc541419497fd2bf34ab8bb75b038f6e6d31bc79fce4246c67558bb0e787b9
Instruction ID: cd1778639ba37b6a685d7e122a664545ec173aea6e455d98c025d7f186f6d613
Opcode Fuzzy Hash: debc541419497fd2bf34ab8bb75b038f6e6d31bc79fce4246c67558bb0e787b9
Instruction Fuzzy Hash: 7FC167B19093818BD3358F29C4A13EBBBE1EFD9314F14892DD4CA5B355DB785841CB86

Function 004160F1 Relevance: 9.7, Strings: 7, Instructions: 923COMMON

Download Yara Rule

Strings

VZXy, xrefs: 004165EA
DCBA, xrefs: 0041615A
DCBA, xrefs: 00416506
DCBA, xrefs: 004163E9
DCBA, xrefs: 00416A22
DCBA, xrefs: 0041671A
p, xrefs: 00416867

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID: InitializeThunk
String ID: DCBA$DCBA$DCBA$DCBA$DCBA$VZXy$p
API String ID: 2994545307-64135372
Opcode ID: 3de0c4144b3ce83bad1cd4645ce3383402e3a4e228abd29f1e8d8bd90a5312c7
Instruction ID: 96ce043d70a411a3f265d73f361643a0bdf7acca8b37c2b47f0a5e2a0d0e7c21
Opcode Fuzzy Hash: 3de0c4144b3ce83bad1cd4645ce3383402e3a4e228abd29f1e8d8bd90a5312c7
Instruction Fuzzy Hash: 2B329B756093409FD7148F24C880BBBB792FB96300F1A99BDE0C297292C779DC46CB5A

Function 00647F4C Relevance: 8.9, Strings: 7, Instructions: 151COMMON

Download Yara Rule

Strings

|&t8, xrefs: 00647F77
d"d$, xrefs: 00647F6C
l2r4, xrefs: 00647F98
Z\, xrefs: 0064808A
^P, xrefs: 00648095
L, xrefs: 006481DA
m:i<, xrefs: 00647F82

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: L$d"d$$l2r4$m:i<$|&t8$Z\$^P
API String ID: 0-1724584702
Opcode ID: f170f92f95ff58ebefa41c41c7044fc85bff361226586cd23f0ba755eb3a4b8f
Instruction ID: 2d7320d6aa63b1936fb2fe1d64782ffb34253981b8dc5bec61cdb7e1e7e8da8d
Opcode Fuzzy Hash: f170f92f95ff58ebefa41c41c7044fc85bff361226586cd23f0ba755eb3a4b8f
Instruction Fuzzy Hash: 6D6134B29093918BD7358F5588923EFBAE2EBD9304F18892DC4CD5B355DB384512CB8B

Function 0040A9B0 Relevance: 7.9, Strings: 6, Instructions: 396COMMON

Download Yara Rule

Strings

fp~f, xrefs: 0040ACD7
LGHI, xrefs: 0040AB2B
jk, xrefs: 0040AB66
jdkb, xrefs: 0040AD04, 0040AE21, 0040AE22
ec}y, xrefs: 0040A9C9
CIE, xrefs: 0040AB23

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: LGHI$ec}y$fp~f$jdkb$jk$CIE
API String ID: 0-1801165453
Opcode ID: 67c9a069925716532465acd6bbc692f27c45daaf7ee1d9b80331a1016a7c4124
Instruction ID: f7a6e3dff254edd297ad885eaa72bead2b20a4844f05c981639e4c953a739855
Opcode Fuzzy Hash: 67c9a069925716532465acd6bbc692f27c45daaf7ee1d9b80331a1016a7c4124
Instruction Fuzzy Hash: 62C1E27524C3508BC324DF2584516AFFBE3ABC2304F19897DE4D56F386D67988168B8B

Function 0063AC17 Relevance: 7.9, Strings: 6, Instructions: 396COMMON

Download Yara Rule

Strings

LGHI, xrefs: 0063AD92
ec}y, xrefs: 0063AC30
fp~f, xrefs: 0063AF3E
jk, xrefs: 0063ADCD
CIE, xrefs: 0063AD8A
jdkb, xrefs: 0063AF6B, 0063B088, 0063B089

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: LGHI$ec}y$fp~f$jdkb$jk$CIE
API String ID: 0-1801165453
Opcode ID: bcc18b650d6663702cff9dae8dad8c9ea42bcf290737524e91fd9fa945319b3e
Instruction ID: 3f2d36270915763ec45ce15778d0f05c11a4f6afa84138373a146d7d050f7a83
Opcode Fuzzy Hash: bcc18b650d6663702cff9dae8dad8c9ea42bcf290737524e91fd9fa945319b3e
Instruction Fuzzy Hash: C3C1CFB560C3908BC328DF6584516AFFBE3ABC2304F18896CE5D54B346D7768806DB86

Function 00422500 Relevance: 7.8, Strings: 6, Instructions: 316COMMON

Download Yara Rule

Strings

,-, xrefs: 00422546
E%R', xrefs: 00422532
U:k<U:k<, xrefs: 004229A6
R6RH, xrefs: 00422A1F
:JKL, xrefs: 00422A27
J2R4, xrefs: 00422A17

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: ,-$:JKL$E%R'$J2R4$R6RH$U:k<U:k<
API String ID: 0-2420122908
Opcode ID: 5d4c5e031a35d2ea3f1712751076acbd70fb621571afff35f2b807dfc1b72810
Instruction ID: 6b06236beee3d898c864226b0be25ba88f7d32fe8b31c2ca05b9ec177afa5170
Opcode Fuzzy Hash: 5d4c5e031a35d2ea3f1712751076acbd70fb621571afff35f2b807dfc1b72810
Instruction Fuzzy Hash: F99168B17083209BD310CF65E89132BB6A2EFD5315F09C63DE9D94B394EBB88845C796

Function 006388F7 Relevance: 7.7, APIs: 5, Instructions: 232threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 006389C3
GetCurrentThreadId.KERNEL32 ref: 006389CD
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00638A81
GetForegroundWindow.USER32 ref: 00638A96

Part of subcall function 0063CA27: CoInitializeEx.COMBASE(00000000,00000002), ref: 0063CA3A

ExitProcess.KERNEL32 ref: 00638BE4

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitFolderForegroundInitializePathSpecialThreadWindow
String ID:
API String ID: 3701390975-0
Opcode ID: f156c9e9ffb1af7124b3f068754f2c8bc1c80a4496f267aafe55d2251d073faa
Instruction ID: 4ba6db657f0c0a9c44bd19cc8d04c6405396e60fc9d71a9bafadc959d5c3e55f
Opcode Fuzzy Hash: f156c9e9ffb1af7124b3f068754f2c8bc1c80a4496f267aafe55d2251d073faa
Instruction Fuzzy Hash: 5B7127B3B147105FC358AF6DCC427AAB6D7ABC4310F1A813DA89ADB395E9748C0587C5

Function 0041826E Relevance: 7.5, Strings: 5, Instructions: 1282COMMON

Download Yara Rule

Strings

U, xrefs: 00418027
WXY, xrefs: 00418DB6
c, xrefs: 0041827E
DCBA, xrefs: 00418449
~, xrefs: 0041894B

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: DCBA$U$c$~$WXY
API String ID: 0-3844840400
Opcode ID: 8c793a632efa5076af8c4f3935a8977d6bf468029ba376d3d2eb67fa362f7255
Instruction ID: ad6be07e208ed71de44fb24f4504fc6c4360d8e0441fc038e20a1abadb2b44b7
Opcode Fuzzy Hash: 8c793a632efa5076af8c4f3935a8977d6bf468029ba376d3d2eb67fa362f7255
Instruction Fuzzy Hash: BB9247725083518BC724CF28C8507ABB7E2FFD9314F19896DE8C99B3A1DB389941CB56

Function 00435090 Relevance: 6.5, Strings: 5, Instructions: 248COMMON

Download Yara Rule

Strings

C, xrefs: 004352E7
DCBADCBA, xrefs: 004351F7
A, xrefs: 004352EF
D, xrefs: 004352E3
B, xrefs: 004352EB

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: A$B$C$D$DCBADCBA
API String ID: 0-3740881347
Opcode ID: adecac1cb3f50ce779c15c6944098ec97546d2522254e89f39d4e12291314d8a
Instruction ID: 63b755127d4de6a4aad4bad12af58016d43057d5d69cefd924e5173af3b20b52
Opcode Fuzzy Hash: adecac1cb3f50ce779c15c6944098ec97546d2522254e89f39d4e12291314d8a
Instruction Fuzzy Hash: 2AA16A31E08654CFDB04CBBCC4513AE7BF1AB4A310F1851AED886A73D2C27D8941CB9A

Function 006652F7 Relevance: 6.5, Strings: 5, Instructions: 248COMMON

Download Yara Rule

Strings

B, xrefs: 00665552
C, xrefs: 0066554E
DCBADCBA, xrefs: 0066545E
D, xrefs: 0066554A
A, xrefs: 00665556

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: A$B$C$D$DCBADCBA
API String ID: 0-3740881347
Opcode ID: 578b4dd5a6c8ea73de38b9c70cb6d67d1f5f9ed6fef010a405ed820bbce85abd
Instruction ID: f8699d335a13a2e93cb48c39b376982e8090fb1a1ac9518b6df70dc34b2cc2d2
Opcode Fuzzy Hash: 578b4dd5a6c8ea73de38b9c70cb6d67d1f5f9ed6fef010a405ed820bbce85abd
Instruction Fuzzy Hash: BBA13571A08690CFDB04CB7CC4563EE7BE3AB46310F1841ADE987A7392D6798941CB96

Function 0042B429 Relevance: 6.5, Strings: 5, Instructions: 241COMMON

Download Yara Rule

Strings

u, xrefs: 0042B434
z\R6, xrefs: 0042B53C
kl, xrefs: 0042B6CE
|~, xrefs: 0042B6A2
\}, xrefs: 0042B4BB

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: \}$kl$u$z\R6$|~
API String ID: 0-839039025
Opcode ID: 61e48381633d6ac082315ab95e76aadf48114a4cc7cad988b7e374e2d1fe872f
Instruction ID: d376f31ca106a3e18cae543faef04638516657012839f8bd0dc1c3cc62336a40
Opcode Fuzzy Hash: 61e48381633d6ac082315ab95e76aadf48114a4cc7cad988b7e374e2d1fe872f
Instruction Fuzzy Hash: 9D7114716083A18FD335CF38C8917ABBBD1EB96304F18896DD4C98B342D77949498B96

Function 0065B690 Relevance: 6.5, Strings: 5, Instructions: 241COMMON

Download Yara Rule

Strings

|~, xrefs: 0065B909
\}, xrefs: 0065B722
z\R6, xrefs: 0065B7A3
u, xrefs: 0065B69B
kl, xrefs: 0065B935

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: \}$kl$u$z\R6$|~
API String ID: 0-839039025
Opcode ID: bd2d64ea207b657f9243566771ea2661c58617bd3ededba741a81157cb3b0028
Instruction ID: 1b10945a5889d2e648341dd96350862f02a8e90ddcf47bcfb728d1fc1ca4b040
Opcode Fuzzy Hash: bd2d64ea207b657f9243566771ea2661c58617bd3ededba741a81157cb3b0028
Instruction Fuzzy Hash: C47114719083D08FD335CF38C8917AABBD2ABD6305F18896CD8D99B342D7394449CB52

Function 0041D6F0 Relevance: 5.9, Strings: 4, Instructions: 866COMMON

Download Yara Rule

Strings

), xrefs: 0041DDEC
, xrefs: 0041D916
{yrs, xrefs: 0041DADC
&=",, xrefs: 0041DA68

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: $&=",$)${yrs
API String ID: 0-1254945749
Opcode ID: d40627908e96dda92a4d965530751face9949d40852ba6946d5ffca92c465dbb
Instruction ID: 81033180e824efb6238312a03b4fd97b2519aaf2c39ab56ec81eecc0e62b379a
Opcode Fuzzy Hash: d40627908e96dda92a4d965530751face9949d40852ba6946d5ffca92c465dbb
Instruction Fuzzy Hash: EB52367590C3908FC725CF25C8807AFBBE1AF96304F08856EE8D55B392D739894ACB56

Function 0064D957 Relevance: 5.9, Strings: 4, Instructions: 866COMMON

Download Yara Rule

Strings

, xrefs: 0064DB7D
), xrefs: 0064E053
&=",, xrefs: 0064DCCF
{yrs, xrefs: 0064DD43

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: $&=",$)${yrs
API String ID: 0-1254945749
Opcode ID: 661dbf6275ce4e66877418fd6aa5fc849ba9af581777508d473cdf607121d787
Instruction ID: bd717fe458aca866c9874f211b08c902d441b4b6559491f365ea0dca30e09de4
Opcode Fuzzy Hash: 661dbf6275ce4e66877418fd6aa5fc849ba9af581777508d473cdf607121d787
Instruction Fuzzy Hash: F152197190C3908FC725CF24C8907AEBBE2AF96314F08856CE4E55B392D776890ACB56

Function 004389F0 Relevance: 5.6, Strings: 4, Instructions: 626COMMON

Download Yara Rule

Strings

DCBA, xrefs: 00438A2C
+[J;, xrefs: 00438DDC
f, xrefs: 00438BE0
DCBA, xrefs: 00438C10

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID: InitializeThunk
String ID: +[J;$DCBA$DCBA$f
API String ID: 2994545307-979426530
Opcode ID: b779821aa48d1f537e0a5818c19115795b1aac73c8baaf1e0f495c05489447a5
Instruction ID: 6e64e34dcd31ac6d1c56d3237c8ca23546036134a602b87600847ab7c5b3d5d6
Opcode Fuzzy Hash: b779821aa48d1f537e0a5818c19115795b1aac73c8baaf1e0f495c05489447a5
Instruction Fuzzy Hash: A912F3716083418BC718CF29C89072BB7E2FBD9314F189A6EF49597391DB79ED018B86

Function 00668C57 Relevance: 5.6, Strings: 4, Instructions: 626COMMON

Download Yara Rule

Strings

+[J;, xrefs: 00669043
f, xrefs: 00668E47
DCBA, xrefs: 00668C93
DCBA, xrefs: 00668E77

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: +[J;$DCBA$DCBA$f
API String ID: 0-979426530
Opcode ID: 48d5d608eb985fab174c10b48fd99f670c944790a462ad4e5eb59291947fbe0a
Instruction ID: be39ff37518e36dc397f9cf328a12e9cd80eb9f6ac2bf4c04cf4aea8d11c5de6
Opcode Fuzzy Hash: 48d5d608eb985fab174c10b48fd99f670c944790a462ad4e5eb59291947fbe0a
Instruction Fuzzy Hash: 8D12F2316083419FC718CF29C89066AB7E7EFC5314F188A6CE8959B391DB35D902CB92

Function 00415230 Relevance: 5.5, Strings: 4, Instructions: 545COMMON

Download Yara Rule

Strings

rs, xrefs: 004156C2
Z\, xrefs: 004152C0
^_P, xrefs: 004152CB
DCBA, xrefs: 0041561A

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: DCBA$rs$Z\$^_P
API String ID: 0-3257825499
Opcode ID: 50a9779d30f8cc91336670ce3e0e145e1b3547c5cbfd7af598a283e598e9310b
Instruction ID: 9c79908d2813ced46a7d3ae357090ec9141b3c475fe34d6f3bc4c6d29fa8a044
Opcode Fuzzy Hash: 50a9779d30f8cc91336670ce3e0e145e1b3547c5cbfd7af598a283e598e9310b
Instruction Fuzzy Hash: 08E10175A08340DFD7209F15D8427ABB3A5FFC6314F48452EE4998B391EB789841CB9B

Function 00435E40 Relevance: 5.4, Strings: 4, Instructions: 437COMMON

Download Yara Rule

Strings

DCBA, xrefs: 004360F4
DCBA, xrefs: 00435FE8, 004362D0
DCBA, xrefs: 00435E94
DCBA, xrefs: 00436023

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: DCBA$DCBA$DCBA$DCBA
API String ID: 0-1380943437
Opcode ID: 905e47680af409e217e9f434af446c789fd898020731aac53781d5d697e793ba
Instruction ID: db2459913d76577c8d131428bae0f0046f550a55b2fe272ecb3189ba83e80acf
Opcode Fuzzy Hash: 905e47680af409e217e9f434af446c789fd898020731aac53781d5d697e793ba
Instruction Fuzzy Hash: 6AC113316083119BD710DF50C881B2BF7E2EB89714F16A97EE98567382D7799C018BAA

Function 006660A7 Relevance: 5.4, Strings: 4, Instructions: 437COMMON

Download Yara Rule

Strings

DCBA, xrefs: 0066635B
DCBA, xrefs: 0066628A
DCBA, xrefs: 006660FB
DCBA, xrefs: 00666537, 0066624F

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: DCBA$DCBA$DCBA$DCBA
API String ID: 0-1380943437
Opcode ID: 33cadba889885d8b1310e7b0f4d6488fb0f98d01f91fb5a7437287544b57009f
Instruction ID: e17653bd21ec990bcdf9c94316ea170613a5398e83a24fb6bd47de3f0d165b2a
Opcode Fuzzy Hash: 33cadba889885d8b1310e7b0f4d6488fb0f98d01f91fb5a7437287544b57009f
Instruction Fuzzy Hash: EBC1EE716083409BD3109F64E881B6BB7E6EBC1714F18967CF98467352D771AC02CBA6

Function 00427080 Relevance: 5.4, Strings: 4, Instructions: 431COMMON

Download Yara Rule

Strings

Iz, xrefs: 00427368
/, xrefs: 004270C0
qG, xrefs: 00427360
N\, xrefs: 00427370

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: /$Iz$N\$qG
API String ID: 0-658477336
Opcode ID: be4e17f55111f66921878d8418ef5b2c97e4d3f04a05f68863e28be091ec053c
Instruction ID: be75faf4fe44f83840ce8e0eddf1364d3b9e2de682b49651c7ded75656227445
Opcode Fuzzy Hash: be4e17f55111f66921878d8418ef5b2c97e4d3f04a05f68863e28be091ec053c
Instruction Fuzzy Hash: 9BD1CE7660C3228FD724CF24D8517AFB7E1EBC5314F04892DE4959B381E778DA0A8B96

Function 0042A03C Relevance: 5.4, Strings: 4, Instructions: 413COMMON

Download Yara Rule

Strings

p., xrefs: 0042A43B
Yysw, xrefs: 0042A430
)'->, xrefs: 0042A372
5+, xrefs: 0042A490

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: 5+$)'->$Yysw$p.
API String ID: 0-3271381888
Opcode ID: 7bc9d37edc3057e610e15797e311d901a77cf4983808ab4ed45449bae220d780
Instruction ID: a0bfec2fd4801fa297db708dd0ce194928d6281eb9dfd43985bf1e531d4ceda7
Opcode Fuzzy Hash: 7bc9d37edc3057e610e15797e311d901a77cf4983808ab4ed45449bae220d780
Instruction Fuzzy Hash: 63B1013050C3D18BD7358F3998A17ABBBD19F97314F5888AED5C98B382D779400A8B67

Function 0065A2A3 Relevance: 5.4, Strings: 4, Instructions: 413COMMON

Download Yara Rule

Strings

p., xrefs: 0065A6A2
)'->, xrefs: 0065A5D9
Yysw, xrefs: 0065A697
5+, xrefs: 0065A6F7

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: 5+$)'->$Yysw$p.
API String ID: 0-3271381888
Opcode ID: 676072ffead43f5c2691d0c6a966054a6c2ee28228cf6f8471cefe7bdb492b59
Instruction ID: adadcc88b29dd2fa94844d9909a050906af9a1199c9e86e932a8f7dcc2f65be0
Opcode Fuzzy Hash: 676072ffead43f5c2691d0c6a966054a6c2ee28228cf6f8471cefe7bdb492b59
Instruction Fuzzy Hash: 75B1F1301083C18AD7358F78C8A0BEABBE29F92345F18496DD5D98B282D779454ACB63

Function 0043395D Relevance: 5.4, Strings: 4, Instructions: 379COMMON

Download Yara Rule

Strings

B, xrefs: 00433DA2
C, xrefs: 00433D9E
A, xrefs: 00433DA6
D, xrefs: 00433D9A

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: A$B$C$D
API String ID: 0-483099237
Opcode ID: 7faefb273461f8ec36540b997c0022dc4d909690a7191f3854a272fe84b1f62d
Instruction ID: e225b5a330cc60262ecc9cc9b93cb77643b4512128a0f7ea36a7fe259bee2e2d
Opcode Fuzzy Hash: 7faefb273461f8ec36540b997c0022dc4d909690a7191f3854a272fe84b1f62d
Instruction Fuzzy Hash: 52126E2050CBD2DED722C73C8458349BF917B67324F088388D1E55BBD2C3A9A965C7E6

Function 00663BC4 Relevance: 5.4, Strings: 4, Instructions: 379COMMON

Download Yara Rule

Strings

C, xrefs: 00664005
D, xrefs: 00664001
A, xrefs: 0066400D
B, xrefs: 00664009

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: A$B$C$D
API String ID: 0-483099237
Opcode ID: 6fc8adfd210e5e5507fcacf10cdf3568429e9e95557b84b98c4825c0ca66381b
Instruction ID: 6ce037c47214d4c390b49c668851398ede6c1056d77b9cda2c790b11bcfbfeec
Opcode Fuzzy Hash: 6fc8adfd210e5e5507fcacf10cdf3568429e9e95557b84b98c4825c0ca66381b
Instruction Fuzzy Hash: FC12602050CBD2DED326C73C8448749BF917B27324F088388D1E55BBD2C7AAA965C7E6

Function 00409270 Relevance: 5.4, Strings: 4, Instructions: 375COMMON

Download Yara Rule

Strings

1<7n, xrefs: 004093AD
%!+!, xrefs: 004093A5
",*", xrefs: 00409395
jrj-, xrefs: 0040939D

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: ",*"$%!+!$1<7n$jrj-
API String ID: 0-1366688494
Opcode ID: c6c5228e0b3d99bb4fe49e8e5f77b92791fa7544ae884492db604a47cca9ae8e
Instruction ID: cbffaeedfb35219c005300c1b01725cc43cf78952604f74f2e29baaef4c71618
Opcode Fuzzy Hash: c6c5228e0b3d99bb4fe49e8e5f77b92791fa7544ae884492db604a47cca9ae8e
Instruction Fuzzy Hash: 73A1E47124C3919AC316CF3994A07ABFFE09F97304F48496DE4D55B382D339890AC7AA

Function 006394D7 Relevance: 5.4, Strings: 4, Instructions: 375COMMON

Download Yara Rule

Strings

1<7n, xrefs: 00639614
%!+!, xrefs: 0063960C
jrj-, xrefs: 00639604
",*", xrefs: 006395FC

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: ",*"$%!+!$1<7n$jrj-
API String ID: 0-1366688494
Opcode ID: c6c5228e0b3d99bb4fe49e8e5f77b92791fa7544ae884492db604a47cca9ae8e
Instruction ID: 7bfd256d3deb6d31bca35a01a042eb0d037e76e812cc568d8963e947e4cc22e5
Opcode Fuzzy Hash: c6c5228e0b3d99bb4fe49e8e5f77b92791fa7544ae884492db604a47cca9ae8e
Instruction Fuzzy Hash: C0A1E47064D3D18BD3168F2994A07ABFFE19F97304F48496CE4D15B382D375890ACBA6

Function 004340EF Relevance: 5.3, Strings: 4, Instructions: 334COMMON

Download Yara Rule

Strings

C, xrefs: 0043445D
D, xrefs: 00434459
B, xrefs: 00434461
A, xrefs: 00434465

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: A$B$C$D
API String ID: 0-483099237
Opcode ID: ca9659287533289adc6236492f1fc9de106d76657fbd2bb9f7c60c514b364a3f
Instruction ID: 0a39cb7f803d4c185451d864b9e497c9f34c0258a9932171ab1266936fe19994
Opcode Fuzzy Hash: ca9659287533289adc6236492f1fc9de106d76657fbd2bb9f7c60c514b364a3f
Instruction Fuzzy Hash: 45E104215087D18ED326CB3C885875A7FA15B67224F0EC3DED4EA9F3E3C2649906C796

Function 00664356 Relevance: 5.3, Strings: 4, Instructions: 334COMMON

Download Yara Rule

Strings

C, xrefs: 006646C4
B, xrefs: 006646C8
D, xrefs: 006646C0
A, xrefs: 006646CC

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: A$B$C$D
API String ID: 0-483099237
Opcode ID: de9b048c26e6d0f6850fafc11c1e05ccd6cf662f8d328d81d6d50265da5cc2da
Instruction ID: b7d95250b743e17ec3973c2a12ac6a7b609bb2601f55edb7d37c87ac517c4fa5
Opcode Fuzzy Hash: de9b048c26e6d0f6850fafc11c1e05ccd6cf662f8d328d81d6d50265da5cc2da
Instruction Fuzzy Hash: 9BE1D0215087D18ED326CB3C8858B597FA25B67224F0EC3DDD4EA9F3E3C6658906C396

Function 0040DCA0 Relevance: 5.3, Strings: 4, Instructions: 314COMMON

Download Yara Rule

Strings

9=, xrefs: 0040DE96
@bq, xrefs: 0040DD12
N3, xrefs: 0040E086
@bq, xrefs: 0040DF02

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: 9=$N3$@bq$@bq
API String ID: 0-4156016172
Opcode ID: 4b36ef43714d28ad1f96cd5d61569cb86c358b0dad2be6ab9e68dc04d3e0e56c
Instruction ID: 35755ea2fee2548ef166cf2072f2c04e5b5edc333876189fadc4d885ac75e1d3
Opcode Fuzzy Hash: 4b36ef43714d28ad1f96cd5d61569cb86c358b0dad2be6ab9e68dc04d3e0e56c
Instruction Fuzzy Hash: 10918D35A083514BC3249B25C8517EFBBE2EFDA314F08CA3DD4C9A7382DA785805879B

Function 0040C830 Relevance: 5.3, Strings: 4, Instructions: 294COMMON

Download Yara Rule

Strings

<=, xrefs: 0040CB84
CIE, xrefs: 0040CB2C
LGHI, xrefs: 0040CB37
<=, xrefs: 0040C830

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: <=$<=$LGHI$CIE
API String ID: 0-1119745755
Opcode ID: 0bcdece6d7876d8268f25a05d73a559a7a36f50d7a9f8c677ce4e34470149156
Instruction ID: 32d4a041f101078bd4bc94fa57d7e14e415041f5642be7670513e9c8a07ffdec
Opcode Fuzzy Hash: 0bcdece6d7876d8268f25a05d73a559a7a36f50d7a9f8c677ce4e34470149156
Instruction Fuzzy Hash: D591BCB594E3D08BD3358F2598913DBBBE1EBDA314F184A6DC4C95B382C7394506CB8A

Function 0063CA97 Relevance: 5.3, Strings: 4, Instructions: 294COMMON

Download Yara Rule

Strings

LGHI, xrefs: 0063CD9E
CIE, xrefs: 0063CD93
<=, xrefs: 0063CDEB
<=, xrefs: 0063CA97

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: <=$<=$LGHI$CIE
API String ID: 0-1119745755
Opcode ID: 0bcdece6d7876d8268f25a05d73a559a7a36f50d7a9f8c677ce4e34470149156
Instruction ID: 5070d581f176df5f65fc6a49c75df2f45d22b67eb90aede1c83b5a5853baee03
Opcode Fuzzy Hash: 0bcdece6d7876d8268f25a05d73a559a7a36f50d7a9f8c677ce4e34470149156
Instruction Fuzzy Hash: F991ECB594E3D08BD3318F2498907EBBBE1EBDA314F181A6CD4C95B342C7354506CB86

Function 00416D85 Relevance: 4.9, Strings: 3, Instructions: 1182COMMON

Download Yara Rule

Strings

%, xrefs: 004170FD
uqrs, xrefs: 0041785A, 004178F2
DCBA, xrefs: 004175EF

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: %$DCBA$uqrs
API String ID: 0-9501616
Opcode ID: 6095295eff28b4b58ca466a210876bdfebb9a736bcba3fc6d04977fa9623aa5f
Instruction ID: ed17296a2185546ad2603751c121c2a9f36bd559eda4e8f93ade012da641662b
Opcode Fuzzy Hash: 6095295eff28b4b58ca466a210876bdfebb9a736bcba3fc6d04977fa9623aa5f
Instruction Fuzzy Hash: 2B821475A083519FD7208F28C891BABB7E1FF96314F08493EE4998B391D7799841CB86

Function 0041BAA0 Relevance: 4.4, Strings: 3, Instructions: 625COMMON

Download Yara Rule

Strings

U,H., xrefs: 0041BC35
VW, xrefs: 0041BEFE
uv, xrefs: 0041BC94

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: U,H.$VW$uv
API String ID: 0-341193346
Opcode ID: f3fa30c7ffa476e71abc35fd4b49daa5e2f3ae7224b2e48c90db132b773a9120
Instruction ID: 20c827bd32c65c1271496b191bb2a77adcd29e63f9a868e6ddec13a3d9f9c5cf
Opcode Fuzzy Hash: f3fa30c7ffa476e71abc35fd4b49daa5e2f3ae7224b2e48c90db132b773a9120
Instruction Fuzzy Hash: 2702007264C3009BD704DF65C8916ABBBF2EF96314F08982DF4C58B392E3389945CB96

Function 004158D6 Relevance: 4.0, Strings: 3, Instructions: 216COMMON

Download Yara Rule

Strings

gfff, xrefs: 00415A2A
7, xrefs: 004159FD
DCBA, xrefs: 00415B0F

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: 7$DCBA$gfff
API String ID: 0-1442881509
Opcode ID: b3ba1445c26da6b22707cc5d845a939713ff511ef573d9fdc1e342ac4297eebd
Instruction ID: 9d9ef5e8d0571ec1439f7c8245e8eae240db84c2fe772280dd0b0067dd9d7dcc
Opcode Fuzzy Hash: b3ba1445c26da6b22707cc5d845a939713ff511ef573d9fdc1e342ac4297eebd
Instruction Fuzzy Hash: 19615471A187558BE314CF28C8417AB73D6EBC5314F48853EE486CB3D1EB7898468B86

Function 00645B3D Relevance: 4.0, Strings: 3, Instructions: 216COMMON

Download Yara Rule

Strings

7, xrefs: 00645C64
DCBA, xrefs: 00645D76
gfff, xrefs: 00645C91

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: 7$DCBA$gfff
API String ID: 0-1442881509
Opcode ID: 1b2eab978b5e754d935ddeef49e84803ff1718d1028783928ca8bc2e968674ab
Instruction ID: ad0f3532557a15143e030be8bab489074596b7453052d84636bd4c756a4b8a99
Opcode Fuzzy Hash: 1b2eab978b5e754d935ddeef49e84803ff1718d1028783928ca8bc2e968674ab
Instruction Fuzzy Hash: DA611371A187518FE324CB28C851BAA77D6EFC5314F18857DE486CB3D2EB749806CB86

Function 0042A80B Relevance: 3.9, Strings: 3, Instructions: 110COMMON

Download Yara Rule

Strings

DCBA, xrefs: 0042A8B5
<#:Z, xrefs: 0042A821
IO{B, xrefs: 0042A816

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID: InitializeThunk
String ID: <#:Z$DCBA$IO{B
API String ID: 2994545307-3001781657
Opcode ID: eb4e246fcae7f77e475b20ab0a4315972cd4437c3f998053f4b5719bcf771401
Instruction ID: e8f0e9b6a8d6456f061768eb9e0068afe562bbdc9d967e798bf7ba60a950b8bf
Opcode Fuzzy Hash: eb4e246fcae7f77e475b20ab0a4315972cd4437c3f998053f4b5719bcf771401
Instruction Fuzzy Hash: 133169746083918FD7248B35A861B7BFBE0EF93304F58196CD0CA97293D3354812870E

Function 0065AA72 Relevance: 3.9, Strings: 3, Instructions: 110COMMON

Download Yara Rule

Strings

DCBA, xrefs: 0065AB1C
<#:Z, xrefs: 0065AA88
IO{B, xrefs: 0065AA7D

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: <#:Z$DCBA$IO{B
API String ID: 0-3001781657
Opcode ID: 7d6e9423454889dde5c55ba223d20bd924424d0cca6342edaefedd2d0575120a
Instruction ID: 8794b85a12482f8f5d0905793549dc26f6ea74108a9d22f756160f7bd13ac9c9
Opcode Fuzzy Hash: 7d6e9423454889dde5c55ba223d20bd924424d0cca6342edaefedd2d0575120a
Instruction Fuzzy Hash: DB3108701083814FD7258B388461BBBBBE3EF93315F285A6CD4CA97293D331980ACB16

Function 0042D32A Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 216memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0042D3C4

Strings

0, xrefs: 0042D5FA

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID: AllocString
String ID: 0
API String ID: 2525500382-4108050209
Opcode ID: 9788781063624b3d0d3c335ec3d0ab6fb756623c7db389bba1591df65a192210
Instruction ID: fe41006882c24f4a0456cb53abb896f387fe7fa6d710c33ad7f327e38dde6c28
Opcode Fuzzy Hash: 9788781063624b3d0d3c335ec3d0ab6fb756623c7db389bba1591df65a192210
Instruction Fuzzy Hash: 8DB15961108BC0CEE316CB39C888B567FD15B66318F4E82DDC1A94F7E3D6BA9509C726

Function 0065D591 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 216memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0065D62B

Strings

0, xrefs: 0065D861

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID: AllocString
String ID: 0
API String ID: 2525500382-4108050209
Opcode ID: 9788781063624b3d0d3c335ec3d0ab6fb756623c7db389bba1591df65a192210
Instruction ID: dcfc04ba01e099d3298d2a662369fb6f70b2974df1cc70bd4e6acc79519fd367
Opcode Fuzzy Hash: 9788781063624b3d0d3c335ec3d0ab6fb756623c7db389bba1591df65a192210
Instruction Fuzzy Hash: F1B15B61108BC0CEE316CB39C488B567FD15B66318F0E82DDC1A94F7E3D6BA9509C726

Function 00404C30 Relevance: 3.3, Strings: 2, Instructions: 821COMMON

Download Yara Rule

Strings

8, xrefs: 0040556E
0, xrefs: 00405576

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 6dc858bbbfe624dfad55298dc1ff51f881e4ee94df4b44499febe866db10dfb7
Instruction ID: b2012c2a1db2469c536b3b07072ca7f30576caaa2b6fce1d7d7eab69a15dbd8f
Opcode Fuzzy Hash: 6dc858bbbfe624dfad55298dc1ff51f881e4ee94df4b44499febe866db10dfb7
Instruction Fuzzy Hash: C37224716083409FD720CF28C884BABBBE1AF94354F14892EF9899B391D379D944CF96

Function 00634E97 Relevance: 3.3, Strings: 2, Instructions: 821COMMON

Download Yara Rule

Strings

8, xrefs: 006357D5
0, xrefs: 006357DD

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 6dc858bbbfe624dfad55298dc1ff51f881e4ee94df4b44499febe866db10dfb7
Instruction ID: 5d767f0d4695ba6860a50b7eae737f186aa79d7acaf8db1b54c6dadbe47cb0a7
Opcode Fuzzy Hash: 6dc858bbbfe624dfad55298dc1ff51f881e4ee94df4b44499febe866db10dfb7
Instruction Fuzzy Hash: AA7247716097409FDB14CF18C880BAFBBE2AF98354F08892DF8998B391D775D944DB92

Function 004149D2 Relevance: 3.3, Strings: 2, Instructions: 785COMMON

Download Yara Rule

Strings

"QA, xrefs: 00415111
DCBA, xrefs: 00415140

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: "QA$DCBA
API String ID: 0-245934142
Opcode ID: da7e7a091b299d629383012bde4d708ed3665d80d9bc649e5bca373848964446
Instruction ID: 0f343f07f763c093eda431b8f3cc145afcb9e6bc0588436d3b08ca102e247978
Opcode Fuzzy Hash: da7e7a091b299d629383012bde4d708ed3665d80d9bc649e5bca373848964446
Instruction Fuzzy Hash: 232214B96083009FD714AF24EC42A6B77E1FBC9304F04987DF586972A1D7789C42CB9A

Function 0041C200 Relevance: 3.0, Strings: 2, Instructions: 463COMMON

Download Yara Rule

Strings

w|, xrefs: 0041C2D2
hw, xrefs: 0041C2BA

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: hw$w|
API String ID: 0-1849151029
Opcode ID: 734342037324eacdd7391db1c3bf52b9f40376664cdccb21274471d1a9b12dfb
Instruction ID: 7f53893ece1fc367e5dcc430f0afdbafb4e397ed581a73c08b8c5b99d3946130
Opcode Fuzzy Hash: 734342037324eacdd7391db1c3bf52b9f40376664cdccb21274471d1a9b12dfb
Instruction Fuzzy Hash: CFB1E2726583018BC7248F28C8916ABB7F2EFD1314F19891EE8D58B391E738D945C79A

Function 0064C467 Relevance: 3.0, Strings: 2, Instructions: 463COMMON

Download Yara Rule

Strings

w|, xrefs: 0064C539
hw, xrefs: 0064C521

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: hw$w|
API String ID: 0-1849151029
Opcode ID: b23df61f2ef49c2947da90d0bd9d5e31a992d5033c86ac1ab49d2e06892225d9
Instruction ID: 64cc95f306035ebb04e4c1aeee437b8ad2cd340a0818d0dc8c32442f02298a99
Opcode Fuzzy Hash: b23df61f2ef49c2947da90d0bd9d5e31a992d5033c86ac1ab49d2e06892225d9
Instruction Fuzzy Hash: CCB100726093018BC724DF28C8516ABB7F2EFD1364F19892CE8D98B391E779D905C746

Function 00427E72 Relevance: 2.9, Strings: 2, Instructions: 373COMMON

Download Yara Rule

Strings

G[FY, xrefs: 004281FC
DCBA, xrefs: 00428145

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: DCBA$G[FY
API String ID: 0-856299504
Opcode ID: 93dc21e667c1b1698dd5e75b19c31e16824cfbd8eadb7a72228e1aae788c1817
Instruction ID: acbdeeeb004be50e2ba449d149a87591eee4a2ed68f632f87bd49a880149dc6a
Opcode Fuzzy Hash: 93dc21e667c1b1698dd5e75b19c31e16824cfbd8eadb7a72228e1aae788c1817
Instruction Fuzzy Hash: 37D18A72F04164CFDB14CF68E8416AEBBB2BF0A310F29426DE451AB391D739AD01CB94

Function 0066CF37 Relevance: 2.9, Strings: 2, Instructions: 354COMMON

Download Yara Rule

Strings

;:;<, xrefs: 0066D15B
, xrefs: 0066CFFC, 0066D07F

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: ;:;<$
API String ID: 0-1755626032
Opcode ID: c1c7daaaed41f988dfc31703db4aeb316410404d10fd37317723a089c62ff922
Instruction ID: 6ff3833fd6b92511e3e6ed56b7498cbd5c57adeb18352d0cb1601e05013cefb7
Opcode Fuzzy Hash: c1c7daaaed41f988dfc31703db4aeb316410404d10fd37317723a089c62ff922
Instruction Fuzzy Hash: E8913632B483218FC7288F24C8905ABB7A3EFD6324F19866CE9A55B391D7719C06C7D1

Function 00646358 Relevance: 2.8, Strings: 2, Instructions: 343COMMON

Download Yara Rule

Strings

DCBA, xrefs: 006463C1
DCBA, xrefs: 00646650

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: DCBA$DCBA
API String ID: 0-1149900676
Opcode ID: 8b626db9781428600e58e4765972ef887d537de1bdab17d5c6e6e24a2320fd72
Instruction ID: 82d30b2fe6a1a5f4507c5706bbebebba746858edb334b12c42b41b1a7e3cba57
Opcode Fuzzy Hash: 8b626db9781428600e58e4765972ef887d537de1bdab17d5c6e6e24a2320fd72
Instruction Fuzzy Hash: F88152716483409BDB248B54C881BBFB397FBE6300F29D67CE181572A1C3729C46CB92

Function 00634567 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

IEND, xrefs: 00634958
), xrefs: 006345E2

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 3a9c97442de2d10b7ad2e8fd85f9ffe11a3585f221f1ba387c7b4e4ab0caf792
Instruction ID: 654c5e201645f5a880fc4d602c068741e567ccafa672d5fff938175e2f422b89
Opcode Fuzzy Hash: 3a9c97442de2d10b7ad2e8fd85f9ffe11a3585f221f1ba387c7b4e4ab0caf792
Instruction Fuzzy Hash: 08D18CB19083449FE720CF18C841B9BBBE5AF95304F14892DF9999B381DB75E908CBD6

Function 004253A0 Relevance: 2.8, Strings: 2, Instructions: 265COMMON

Download Yara Rule

Strings

36;, xrefs: 00425604
DCBA, xrefs: 004253C5

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID: InitializeThunk
String ID: 36;$DCBA
API String ID: 2994545307-4072228999
Opcode ID: 0dda847886624c26bc3385c9e0ceef9b90f1072f0d0968067fad5c958a305d74
Instruction ID: 9bf3ba9eda82bb025300ab767993d6347617181220c3ac0ccfdd0acfe32fd49b
Opcode Fuzzy Hash: 0dda847886624c26bc3385c9e0ceef9b90f1072f0d0968067fad5c958a305d74
Instruction Fuzzy Hash: E2717D70B047205BD7149F24EC8273BB3A2EF81318F98943EE58687356E67C9C46835E

Function 00655607 Relevance: 2.8, Strings: 2, Instructions: 265COMMON

Download Yara Rule

Strings

36;, xrefs: 0065586B
DCBA, xrefs: 0065562C

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: 36;$DCBA
API String ID: 0-4072228999
Opcode ID: 15b8a28fc80d3680f339a5a5d71e75571deb8e7a246e763fc6171ac3ac233ef0
Instruction ID: 40afc77c0de76f94894a4e9cb946a62d97591fee996dd4085561877b1dd82f3e
Opcode Fuzzy Hash: 15b8a28fc80d3680f339a5a5d71e75571deb8e7a246e763fc6171ac3ac233ef0
Instruction Fuzzy Hash: 60714970A047408BD7149F24CCA6ABBB3A3EF85315F18847CE9838B351E6759C0EC766

Function 0042228A Relevance: 2.8, Strings: 2, Instructions: 254COMMON

Download Yara Rule

Strings

2$B, xrefs: 0042241F
DCBA, xrefs: 004222E5

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: 2$B$DCBA
API String ID: 0-1255609399
Opcode ID: b8a5712087c14186e1c49957dc37804f35f551a7101ac51a0334c06517324715
Instruction ID: a0689bfed4d65d9126b70d859fd0fa5cdd0bef780fced2d3400ab0f3fbbffa4f
Opcode Fuzzy Hash: b8a5712087c14186e1c49957dc37804f35f551a7101ac51a0334c06517324715
Instruction Fuzzy Hash: 89912776604621CFC314CF28EC5126AB3E2FF89315F898A7CE895C7391E7749850CB84

Function 0042A9C4 Relevance: 2.7, Strings: 2, Instructions: 248COMMON

Download Yara Rule

Strings

gbTS, xrefs: 0042AB44
|, xrefs: 0042AC1E

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: gbTS$|
API String ID: 0-3306122945
Opcode ID: 946224f028aee6afaee8bee1061b915f25f83cc3104a808cb51b38d008bb591f
Instruction ID: 66e926ada81158d3c81f9cc5994b24db1a103964577c9991785ea437590cd516
Opcode Fuzzy Hash: 946224f028aee6afaee8bee1061b915f25f83cc3104a808cb51b38d008bb591f
Instruction Fuzzy Hash: 4971F47060C3E18FE3258B3594657ABBFD1AFA3304F58485ED5CA8B382D679480ACB57

Function 0065AC2B Relevance: 2.7, Strings: 2, Instructions: 248COMMON

Download Yara Rule

Strings

gbTS, xrefs: 0065ADAB
|, xrefs: 0065AE85

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: gbTS$|
API String ID: 0-3306122945
Opcode ID: 946224f028aee6afaee8bee1061b915f25f83cc3104a808cb51b38d008bb591f
Instruction ID: 482544a28278d202fffa0812c1442a8a2c2d634257834c5f6e2c339020daee8d
Opcode Fuzzy Hash: 946224f028aee6afaee8bee1061b915f25f83cc3104a808cb51b38d008bb591f
Instruction Fuzzy Hash: 7671F57010C3D18EE3258B3584627ABBFD29FA3305F184A5DD4DA8B782C779480ADB53

Function 0042AA62 Relevance: 2.7, Strings: 2, Instructions: 246COMMON

Download Yara Rule

Strings

gbTS, xrefs: 0042AB44
|, xrefs: 0042AC1E

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: gbTS$|
API String ID: 0-3306122945
Opcode ID: 6c786b22e9bd3a4d31d6c9a86c64b32c728ee3ac3597551b4e15a87be70e5b63
Instruction ID: 95aadaac6a18563f864252b1717a0013fbfc28dbfdb71acaaba62654ed780ad6
Opcode Fuzzy Hash: 6c786b22e9bd3a4d31d6c9a86c64b32c728ee3ac3597551b4e15a87be70e5b63
Instruction Fuzzy Hash: 3571037060C3E18FE3258B3594657ABBFD1AFA3304F58485ED5CA8B382C679480ACB57

Function 0065ACC9 Relevance: 2.7, Strings: 2, Instructions: 246COMMON

Download Yara Rule

Strings

gbTS, xrefs: 0065ADAB
|, xrefs: 0065AE85

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: gbTS$|
API String ID: 0-3306122945
Opcode ID: 6c786b22e9bd3a4d31d6c9a86c64b32c728ee3ac3597551b4e15a87be70e5b63
Instruction ID: cea921c463d363a53b33a2682e6fd7a91e6585cf8ace50d5f6b29704aee251a6
Opcode Fuzzy Hash: 6c786b22e9bd3a4d31d6c9a86c64b32c728ee3ac3597551b4e15a87be70e5b63
Instruction Fuzzy Hash: 2671067010C3D18EE3298B3584627ABBFD19FA3305F184A5DD4D98B782C779480ADB53

Function 0040D738 Relevance: 2.7, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

DCBA, xrefs: 0040D748
A/, xrefs: 0040D880

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID: InitializeThunk
String ID: A/$DCBA
API String ID: 2994545307-1952212995
Opcode ID: 1087ef9790cd2e22a96d7d35d25c2d4ed028b503461a2e47b5b3afec9cb57cad
Instruction ID: b5b8d8c5958f8a2392257b66407102ab0bea2b15514156534733f35bb6fab36e
Opcode Fuzzy Hash: 1087ef9790cd2e22a96d7d35d25c2d4ed028b503461a2e47b5b3afec9cb57cad
Instruction Fuzzy Hash: EB61E377F443119BD3288B998D9153BB693FBD8710F5F827ED88A63751C2B49C0282C9

Function 0063D99F Relevance: 2.7, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

A/, xrefs: 0063DAE7
DCBA, xrefs: 0063D9AF

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: A/$DCBA
API String ID: 0-1952212995
Opcode ID: f7b34a99c9a4153d23633dbc53dfd53d735a6c4df81d91feaa8d786ef34a7d62
Instruction ID: 62712b2fd8d32278c892f6a353673e59d2943c9e7f439f33daaa7b74c67997a2
Opcode Fuzzy Hash: f7b34a99c9a4153d23633dbc53dfd53d735a6c4df81d91feaa8d786ef34a7d62
Instruction Fuzzy Hash: 7561F177B487119BD3288B59DE8063BB697FBE8720F5F827CD88653711C2B09C0282D5

Function 0040CF2B Relevance: 2.7, Strings: 2, Instructions: 175COMMON

Download Yara Rule

Strings

DCBA, xrefs: 0040CFB0
l$, xrefs: 0040D060

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID: InitializeThunk
String ID: DCBA$l$
API String ID: 2994545307-2174502125
Opcode ID: 6e7876a82558148d34286b6203d42649e56b71b1c3f8fffe3f09646100feb78f
Instruction ID: e81f7f585b1284ce3ed3aa70dea4a1d59fd0da52fa85469047718e376de5e9dc
Opcode Fuzzy Hash: 6e7876a82558148d34286b6203d42649e56b71b1c3f8fffe3f09646100feb78f
Instruction Fuzzy Hash: B8519C75A583418BE324CF55C8507ABB6E3FFC8304F588A3EE0C997391E7B954068B5A

Function 0063D192 Relevance: 2.7, Strings: 2, Instructions: 175COMMON

Download Yara Rule

Strings

l$, xrefs: 0063D2C7
DCBA, xrefs: 0063D217

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: DCBA$l$
API String ID: 0-2174502125
Opcode ID: aa648f81ea79772d36b7b5469990f541fe585529cc595107ccc9b3f5fe6fce81
Instruction ID: 1fbb24f1456fe7821ebba199ad39491564f4cebc7073fafbc2b84ad01b49277f
Opcode Fuzzy Hash: aa648f81ea79772d36b7b5469990f541fe585529cc595107ccc9b3f5fe6fce81
Instruction Fuzzy Hash: 9251DD716083418BE324CF15D8507ABB7E3FFC8304F598A2DE1C887391E7B499068B96

Function 00669E4F Relevance: 2.7, Strings: 2, Instructions: 165COMMON

Download Yara Rule

Strings

nq[P, xrefs: 00669E58
rq[P, xrefs: 00669ED2

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: nq[P$rq[P
API String ID: 0-2909691123
Opcode ID: 0270da04cbef73e4980b843d64e3718cd138bd6eeabb79577a77568dde293e69
Instruction ID: 4a433c5641a87c1865f208e8f2b0d26f281881bb43915fab21c428db3519d9a5
Opcode Fuzzy Hash: 0270da04cbef73e4980b843d64e3718cd138bd6eeabb79577a77568dde293e69
Instruction Fuzzy Hash: 28510636E141558FDB14CF68CC815BEB763FFD5310B2A82A8D991A7355CB35AC02CB94

Function 0063092B Relevance: 2.6, Strings: 2, Instructions: 90COMMON

Download Yara Rule

Strings

l, xrefs: 00630966
GetProcAddress., xrefs: 006309DC, 006309DF, 006309E4

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: GetProcAddress.$l
API String ID: 0-1376745856
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 9013cb23ad4f06e4f1c28519ed8b1fa9f1e99acf318e961cecb312c3fe85d718
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 043119B6900609DFEB10CF99C880AADBBF6FF48324F15504AD441A7351D771EA49CBA4

Function 00422280 Relevance: 2.6, Strings: 2, Instructions: 81COMMON

Download Yara Rule

Strings

DCBA, xrefs: 004221B5
DCBA, xrefs: 00422225

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: DCBA$DCBA
API String ID: 0-1149900676
Opcode ID: 9f39d459a20eea78463afbd07f1cdce5eebe2d6ff46cd4990b93331becbeac2d
Instruction ID: cc224051eb8e31dd6316900927487a585cff38f21c0bff34a8391b323fd27dc7
Opcode Fuzzy Hash: 9f39d459a20eea78463afbd07f1cdce5eebe2d6ff46cd4990b93331becbeac2d
Instruction Fuzzy Hash: 1311E4747083219FE7148F39AA1063BB3E0FB9A314F94997DD595D3341C6B89822CF8A

Function 00652465 Relevance: 2.6, Strings: 2, Instructions: 78COMMON

Download Yara Rule

Strings

DCBA, xrefs: 0065248C
DCBA, xrefs: 0065241C

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: DCBA$DCBA
API String ID: 0-1149900676
Opcode ID: bf2593e8229e15667b3473caa24e4bb517f1db4510249c2af4b596899cd6d0a2
Instruction ID: ff5da83295ece99c88288c6e6b7e0708a371121305834fd1f343549d2f00a684
Opcode Fuzzy Hash: bf2593e8229e15667b3473caa24e4bb517f1db4510249c2af4b596899cd6d0a2
Instruction Fuzzy Hash: F111BE746083428FD7048F39C42066BB7E2FB9B329F14997CD8C5A3241D338D80A8B86

Function 004256C0 Relevance: 1.8, Strings: 1, Instructions: 600COMMON

Download Yara Rule

Strings

p, xrefs: 00425C46

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: p
API String ID: 0-1614059158
Opcode ID: aa6baa49895322900176c9b42fb38d31e4b9bf19fb39eb4163cc445dfb64b88e
Instruction ID: 28a2b986e44d0327de6fdeb9e88d05ab1b5e7d256b898e476f4477ccab8b14a9
Opcode Fuzzy Hash: aa6baa49895322900176c9b42fb38d31e4b9bf19fb39eb4163cc445dfb64b88e
Instruction Fuzzy Hash: 361233B16083518FD3109F24E89176BBBE1EFD6314F58882EF5C18B382E639D945CB96

Function 00421380 Relevance: 1.7, Strings: 1, Instructions: 488COMMON

Download Yara Rule

Strings

!, xrefs: 004213F4

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: !
API String ID: 0-113910852
Opcode ID: 9abd315e3cbf87aa339e2572e06a42fb59d60662cf93b551ecb1ebc3c3b19fc7
Instruction ID: 2d693bce10ed5bc3cb733e123271110e610af88e73c885137d41ad325da0423d
Opcode Fuzzy Hash: 9abd315e3cbf87aa339e2572e06a42fb59d60662cf93b551ecb1ebc3c3b19fc7
Instruction Fuzzy Hash: 00C14972A083208BD724DF24D85176BB3E2EFE0354F49452EE8C5973A1EB799D01839A

Function 006515E7 Relevance: 1.7, Strings: 1, Instructions: 488COMMON

Download Yara Rule

Strings

!, xrefs: 0065165B

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: !
API String ID: 0-113910852
Opcode ID: 16f6df2906aa7dec41bce76e96980ed6c89ad82f818eae5abc274515a54e897c
Instruction ID: ac1160142712f155fbfb5a84f0d45a47d651a66caf500d65e9873f4f3d5b35db
Opcode Fuzzy Hash: 16f6df2906aa7dec41bce76e96980ed6c89ad82f818eae5abc274515a54e897c
Instruction Fuzzy Hash: 89C13572A083108BD724EB248851BABB3E7EF92315F09852CECD59B391E7759D09C792

Function 00436632 Relevance: 1.7, Strings: 1, Instructions: 456COMMON

Download Yara Rule

Strings

:, xrefs: 00436B84

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: :
API String ID: 0-336475711
Opcode ID: 1671155b14b2931bd87571bc85dfb6e8b8e08e70ce9c07d6e6c88b5b28379f93
Instruction ID: f9410e24bd2503e28d38db43460cdb051a99e20d74fa8e4bb493f54e40408b3e
Opcode Fuzzy Hash: 1671155b14b2931bd87571bc85dfb6e8b8e08e70ce9c07d6e6c88b5b28379f93
Instruction Fuzzy Hash: 81D1283B625612CBCB1C4F24DC6227B73A2FF8A745F0AD1BED4424B2A5D7788D548B05

Function 00429070 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

", xrefs: 00429358

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 890805ae256df2394b4c992c8510d8c6f152f74533689e5e64bf7f5813ebe0a9
Instruction ID: ba5bec7ee50c6a9e90924a2fc2af94bf927fb64befec74e61bb5d5638cdde794
Opcode Fuzzy Hash: 890805ae256df2394b4c992c8510d8c6f152f74533689e5e64bf7f5813ebe0a9
Instruction Fuzzy Hash: 39C14872B08321ABD714CE25E49076BB7D5AF84314F58892FE89587382DB3CEC45C79A

Function 006592D7 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

", xrefs: 006595BF

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: cce4eacc449484495e8b4183159e6348b1f22454bc2ac309fb872f566127f3ee
Instruction ID: 119a7ec9d0628aec45824c7ed0041f6940fa1f0e2b0bbc415373c18ffb2af8f3
Opcode Fuzzy Hash: cce4eacc449484495e8b4183159e6348b1f22454bc2ac309fb872f566127f3ee
Instruction Fuzzy Hash: EBC1C3B2A04344DBD7158E24C890BABB7EBAB85311F1C852DEC9587381E735DD4DC7A2

Function 004278FF Relevance: 1.6, Strings: 1, Instructions: 367COMMON

Download Yara Rule

Strings

DCBA, xrefs: 00427DB5

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: DCBA
API String ID: 0-2222620526
Opcode ID: 665b239abf2841e6d0f961e3cfc981518c75b4c60a61af7a1ab826084c76c74c
Instruction ID: 5cb9ee687e09a46fdaf2d0b33c69c9879aaf2aa02bbada1774ec9044eabba094
Opcode Fuzzy Hash: 665b239abf2841e6d0f961e3cfc981518c75b4c60a61af7a1ab826084c76c74c
Instruction Fuzzy Hash: 51C101B560C3419BD7108F24D88166BBBE2EF86314F54896EF4D9873A2D638E905CB4A

Function 00420FA0 Relevance: 1.6, Strings: 1, Instructions: 355COMMON

Download Yara Rule

Strings

tq, xrefs: 00421000

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: tq
API String ID: 0-481023706
Opcode ID: 29c9bf756c045eef1a09ef221ff720d3352d9421d4280291e27939b0caa909bf
Instruction ID: 8f534a504f04a5d9767115eb01dd3f16783e7d924e47365cff2b2f91225dd44f
Opcode Fuzzy Hash: 29c9bf756c045eef1a09ef221ff720d3352d9421d4280291e27939b0caa909bf
Instruction Fuzzy Hash: 28A155B1B043118BD710CF60D881B6BB3E1FF94358F14892DE9898B3A1E779E905C75A

Function 00651207 Relevance: 1.6, Strings: 1, Instructions: 355COMMON

Download Yara Rule

Strings

tq, xrefs: 00651267

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: tq
API String ID: 0-481023706
Opcode ID: 23eaddf717e5e463b13a5a7b60b3b5d5ff82139f2ed2cfdc4fd222b066815821
Instruction ID: 8fbdf87ed9566a084d60a9b138901a9901a2a784e452965ea7f76513fa3e4cc4
Opcode Fuzzy Hash: 23eaddf717e5e463b13a5a7b60b3b5d5ff82139f2ed2cfdc4fd222b066815821
Instruction Fuzzy Hash: 9CA1F4B16043019BC7149F64C891BABB7E2FFC6319F14892CE98A8B391E779D909C791

Function 0042A749 Relevance: 1.6, Strings: 1, Instructions: 323COMMON

Download Yara Rule

Strings

wH, xrefs: 0042BAD4

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: wH
API String ID: 0-1503671404
Opcode ID: 735eff78948b21e92c26272058e6777a53df9390db2d3b00e6e92735ac06b047
Instruction ID: 6938ec21c2c950272ecf71514532c80e00f36c867636421e33f396b57224f4d7
Opcode Fuzzy Hash: 735eff78948b21e92c26272058e6777a53df9390db2d3b00e6e92735ac06b047
Instruction Fuzzy Hash: F6A1067190C3E18BD335CF2994603ABBBE1AFD6304F58896ED4C997382D7398905CB96

Function 0065A9B0 Relevance: 1.6, Strings: 1, Instructions: 323COMMON

Download Yara Rule

Strings

wH, xrefs: 0065BD3B

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: wH
API String ID: 0-1503671404
Opcode ID: 2007ba78c25e3e8eccc0f9854452d44547dcb92d34a84f05b63c8b6529d01bd1
Instruction ID: 34ff86c7af649ec7b225821b008110154fba70cbe7b3ac4a4921f4d964fb64fd
Opcode Fuzzy Hash: 2007ba78c25e3e8eccc0f9854452d44547dcb92d34a84f05b63c8b6529d01bd1
Instruction Fuzzy Hash: F3A1F67180C3D18BD735CF2884507ABBBE1AFD2305F189AADD8D997382D735890ACB56

Function 0041CA40 Relevance: 1.5, Strings: 1, Instructions: 285COMMON

Download Yara Rule

Strings

~, xrefs: 0041CB0D

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 806e1ad82d1fe01035a3a04b6d141387db23568e2ae8e027bca790208af7bf04
Instruction ID: 20d55060c47421e563f3ea782d842ae176eb6628bfb33178114c4445c7dce7b7
Opcode Fuzzy Hash: 806e1ad82d1fe01035a3a04b6d141387db23568e2ae8e027bca790208af7bf04
Instruction Fuzzy Hash: E7A13A729486214FC711CF28CC817ABBBE1AB95324F19863DE8A997391D738DC46C7C6

Function 006489D3 Relevance: 1.5, Strings: 1, Instructions: 285COMMON

Download Yara Rule

Strings

~, xrefs: 00648BB2

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: ~
API String ID: 0-3734495848
Opcode ID: 355a6c65d4879f889d726b7ad2c1a24d7495bdd07e2d78c9d59b1e122d21a961
Instruction ID: 69b477698ffe9eb79f3882f6414245c8f3db0862f144123d341738f82f8a0740
Opcode Fuzzy Hash: 355a6c65d4879f889d726b7ad2c1a24d7495bdd07e2d78c9d59b1e122d21a961
Instruction Fuzzy Hash: 7491E0729483208FC3248F18C8906ABB7A2FFD5744F5A896DE8C55B3A4EB319D02C756

Function 0064CCA7 Relevance: 1.5, Strings: 1, Instructions: 285COMMON

Download Yara Rule

Strings

~, xrefs: 0064CD74

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 2299d24007fc3d76674f0db060a5f65dcf0c1f2015cebe85fd65035b914bf7fa
Instruction ID: dc6ac90d8ae1191e9864ff6decad794eaf531338b79e066da3b6f4d38ca1f729
Opcode Fuzzy Hash: 2299d24007fc3d76674f0db060a5f65dcf0c1f2015cebe85fd65035b914bf7fa
Instruction Fuzzy Hash: A8A13A329086514FCB55CF28C8416AEBBE2EF95324F19863CE8A997391D735CC46C7D2

Function 0064CBCB Relevance: 1.5, Strings: 1, Instructions: 282COMMON

Download Yara Rule

Strings

~, xrefs: 0064CD74

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 38186c378c75e51c07d1b30478c249c1bb7f207e0a0591839dbf680f5bc0200a
Instruction ID: 95ce9069d4733d8660b3e98044bd91265ead16d24e1ca2135014dd617f0ae745
Opcode Fuzzy Hash: 38186c378c75e51c07d1b30478c249c1bb7f207e0a0591839dbf680f5bc0200a
Instruction Fuzzy Hash: 3A915361A4C2D09FE7264AA44C36A897F51EB4233CF3B51DEE4D64B6A3D56E8423C343

Function 00405E90 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 00405FC6

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 5f2faef974116ec6b01a5155b5fcf0618d67d73967f2efe24fc229197e08a00c
Instruction ID: 35cb39d69d440d3dd2cc247d0e9d645b9ebb41c3e8e543fb4a0ac07a1624e687
Opcode Fuzzy Hash: 5f2faef974116ec6b01a5155b5fcf0618d67d73967f2efe24fc229197e08a00c
Instruction Fuzzy Hash: 57B138711097859FD321DF28C88061BFBE0AFA9704F444A2EF5D997382D635E918CBA7

Function 006360F7 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 0063622D

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 5f2faef974116ec6b01a5155b5fcf0618d67d73967f2efe24fc229197e08a00c
Instruction ID: 9ea734f49cf259c2ddf38c556183519e11167277a649f48f4453cc17ca6d0b16
Opcode Fuzzy Hash: 5f2faef974116ec6b01a5155b5fcf0618d67d73967f2efe24fc229197e08a00c
Instruction Fuzzy Hash: 49B138712083819FD325CF18C98065BFBE1AFA9704F448E2DF5D997342D631EA18CBA6

Function 00648E4E Relevance: 1.5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

WXY, xrefs: 0064901D

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: WXY
API String ID: 0-578357071
Opcode ID: 9ac52ab9ea5249d440cfc6a24ea8c2da27a5e41fcfcff4567cf9a22dc44a9644
Instruction ID: c6b54b575219d62b53f2442bc5d8f0b10bf6500aa77bff7b127a2440442e7dd4
Opcode Fuzzy Hash: 9ac52ab9ea5249d440cfc6a24ea8c2da27a5e41fcfcff4567cf9a22dc44a9644
Instruction Fuzzy Hash: 9381F2715083218BC724DF28C8906ABB7F2FFD9764F18895DE8C49B764EB349941CB52

Function 00438620 Relevance: 1.5, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

DCBA, xrefs: 00438770

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: DCBA
API String ID: 0-2222620526
Opcode ID: e97ef76f18b33331658c6dadffdbf4a03ec667c33888f79711ecf2f3b557a6d1
Instruction ID: 872a48a09982231b8dafbd347f7c63a6ccfc1133244f06d7031620cbbfbec7ca
Opcode Fuzzy Hash: e97ef76f18b33331658c6dadffdbf4a03ec667c33888f79711ecf2f3b557a6d1
Instruction Fuzzy Hash: 73512632A047108BC7209E2C8C8165BF7E2FB8A324F19A67EE89497395DB789C45C7D5

Function 00668887 Relevance: 1.5, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

DCBA, xrefs: 006689D7

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: DCBA
API String ID: 0-2222620526
Opcode ID: 6b87d36e4653830a2206e18ee3bb8ff8f1c920dec9c05b149e87b788344ca879
Instruction ID: 750a288c21f386a6124cb65af61216c9088be3ae962c96fcbe6be51fb73184cf
Opcode Fuzzy Hash: 6b87d36e4653830a2206e18ee3bb8ff8f1c920dec9c05b149e87b788344ca879
Instruction Fuzzy Hash: 9E51F432A046109FC7208E7CC8816AAB7E7EB86324F19C779D8A497395DA719C46C7D1

Function 00429ECA Relevance: 1.4, Strings: 1, Instructions: 196COMMON

Download Yara Rule

Strings

ytyu, xrefs: 0042B109

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: ytyu
API String ID: 0-3122247562
Opcode ID: f053fbe5bc21165d167fab0e9e4a8a53879f261e0ed1905fc728f89db18bf12f
Instruction ID: 12b0de02a6f5ab75272d138379b8755f22481c091a64ef22d8aed6e45f9efa9c
Opcode Fuzzy Hash: f053fbe5bc21165d167fab0e9e4a8a53879f261e0ed1905fc728f89db18bf12f
Instruction Fuzzy Hash: AA512B616083D14BD7298F3994A07BBBBD2DFD7304F5885BDC0D69B286CB3841068759

Function 0065A131 Relevance: 1.4, Strings: 1, Instructions: 196COMMON

Download Yara Rule

Strings

ytyu, xrefs: 0065B370

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: ytyu
API String ID: 0-3122247562
Opcode ID: f053fbe5bc21165d167fab0e9e4a8a53879f261e0ed1905fc728f89db18bf12f
Instruction ID: c7a6ee9ce0d29fe64077406bf95a8dd9084bd2957bcafdfb8ebfa1afa2035230
Opcode Fuzzy Hash: f053fbe5bc21165d167fab0e9e4a8a53879f261e0ed1905fc728f89db18bf12f
Instruction Fuzzy Hash: AF512C616083C14BD7398F3984907BABFD2DFA7309F1899BDC4D69B286CB34410A8715

Function 0040D49A Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

DCBA, xrefs: 0040D4B0

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID: InitializeThunk
String ID: DCBA
API String ID: 2994545307-2222620526
Opcode ID: 57583cc18d04cf4ade500645237bdaea67503594d84e72236601d2668f315770
Instruction ID: 64bd359bbb5b43e3422d3c833f04884c8d2da5cb65cc84172a81cef7814223a6
Opcode Fuzzy Hash: 57583cc18d04cf4ade500645237bdaea67503594d84e72236601d2668f315770
Instruction Fuzzy Hash: E1517C76F0062057D729AB669C5276F7242AFD8718F49413DE88A333C2DBB86D0681DE

Function 0063D701 Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

DCBA, xrefs: 0063D717

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: DCBA
API String ID: 0-2222620526
Opcode ID: a3bf1790a9150fded9ac8a93578737397ff43db7e0ff12365720d09c75aa0f08
Instruction ID: 7ccf4a13583ad6a5797d9e821dbb1879745e40d44e5ae2d0fb40ef6eee097522
Opcode Fuzzy Hash: a3bf1790a9150fded9ac8a93578737397ff43db7e0ff12365720d09c75aa0f08
Instruction Fuzzy Hash: 705138B7B047104BE7259B149C526EF7253AFD9710F0E413CEC8A23382CBB1690681DE

Function 0063BC16 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

[\, xrefs: 0063BD11

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: [\
API String ID: 0-2051771327
Opcode ID: ecd83d49e737039969fc9a01a5a5ccd7361e12d91337dd1d4edd54560e481326
Instruction ID: 853f15477a5283f3a4fea53921e0319107da490f186d158df0c99bf15e3a7441
Opcode Fuzzy Hash: ecd83d49e737039969fc9a01a5a5ccd7361e12d91337dd1d4edd54560e481326
Instruction Fuzzy Hash: 02414432F183505FD364CBA49CC179BFB92EBE1204F29A53CEAC9A7351D2759C028785

Function 0042B0DE Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

ytyu, xrefs: 0042B109

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: ytyu
API String ID: 0-3122247562
Opcode ID: 3494bfe6291a6431b01350dcad90491f8a54cb059fc7b75e339d49c7782d6889
Instruction ID: 648daf82285625cf77c371538089869eb7515d56c2969b46c42d7a52f9289bc7
Opcode Fuzzy Hash: 3494bfe6291a6431b01350dcad90491f8a54cb059fc7b75e339d49c7782d6889
Instruction Fuzzy Hash: 27412D6060C3D24BD73A8F2994A47B7BFE1DFA3344F5885AEC0D65B242CB384506C75A

Function 0065B345 Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

ytyu, xrefs: 0065B370

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: ytyu
API String ID: 0-3122247562
Opcode ID: 3494bfe6291a6431b01350dcad90491f8a54cb059fc7b75e339d49c7782d6889
Instruction ID: 0e5a17efa6c5557b6d67550264afca5fa078f729e1400876082714077c96243e
Opcode Fuzzy Hash: 3494bfe6291a6431b01350dcad90491f8a54cb059fc7b75e339d49c7782d6889
Instruction Fuzzy Hash: B841FE605083C28BD73A8F2580A07BAFFE6DFA3305F1859ADC4D65B686C734410AC716

Function 00429E89 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

ytyu, xrefs: 0042B109

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: ytyu
API String ID: 0-3122247562
Opcode ID: cbca36ce238727ca39cac4ff67d5d0eb6a20784f1e8b4ad77352ae9aa64df1ca
Instruction ID: 9f127353f7bba25dfea1de63524ab0f2f798c8a367a6f857e5b761ee54c0f219
Opcode Fuzzy Hash: cbca36ce238727ca39cac4ff67d5d0eb6a20784f1e8b4ad77352ae9aa64df1ca
Instruction Fuzzy Hash: 5C312A6060C3D24BD73A8F2994647BBBFE1DFA3344F5889AEC0D65B282CB344506C75A

Function 0065A0F0 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

ytyu, xrefs: 0065B370

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: ytyu
API String ID: 0-3122247562
Opcode ID: cbca36ce238727ca39cac4ff67d5d0eb6a20784f1e8b4ad77352ae9aa64df1ca
Instruction ID: e7789118abef25a519995697b28c5a2ae18b97645e16e632c70c6bf8a61b37c4
Opcode Fuzzy Hash: cbca36ce238727ca39cac4ff67d5d0eb6a20784f1e8b4ad77352ae9aa64df1ca
Instruction Fuzzy Hash: 4E311A615083C28BD73A8F2980507BAFFE2DFA3305F1899ADC5D65B286CB34410BC716

Function 0041AC1D Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

!y{{, xrefs: 0041AC40

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: !y{{
API String ID: 0-1777749009
Opcode ID: 34a11b86288b67153c8836f152e560bb3d0582ddd333178ec40e8e1900dbe185
Instruction ID: 60daa59d1a784ae211c2b3ef0204a34bfe7960cd735750a74c34f91c64a24c52
Opcode Fuzzy Hash: 34a11b86288b67153c8836f152e560bb3d0582ddd333178ec40e8e1900dbe185
Instruction Fuzzy Hash: 912199729493508BC7148E29D8503E7FBE1EFD2314F1C84AFE8C5EB301E23988168796

Function 0064AE84 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

!y{{, xrefs: 0064AEA7

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: !y{{
API String ID: 0-1777749009
Opcode ID: 34a11b86288b67153c8836f152e560bb3d0582ddd333178ec40e8e1900dbe185
Instruction ID: aef8d57438fb6306ab820544545a96fff68ec7bcc3a2ff47f48ac707e37829d8
Opcode Fuzzy Hash: 34a11b86288b67153c8836f152e560bb3d0582ddd333178ec40e8e1900dbe185
Instruction Fuzzy Hash: A62199739482509BD7148A69D8507F7FBE2EFD2305F1894AEE8D1E7301D37688058B52

Function 00422154 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

DCBA, xrefs: 004221B5

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID: InitializeThunk
String ID: DCBA
API String ID: 2994545307-2222620526
Opcode ID: a3285eac4c9d0b2840b591ec952b068857be1a3abe61b60f757daffff14c0e29
Instruction ID: 58c59863d1f9f3c4caf99bc5159be815190c9076244c5d1684e7e5d48b42dc26
Opcode Fuzzy Hash: a3285eac4c9d0b2840b591ec952b068857be1a3abe61b60f757daffff14c0e29
Instruction Fuzzy Hash: DF210474708212BFE6288B14DD41F3773A1F796324FA0862DE652A62D0D6F49C128B59

Function 006523BB Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

DCBA, xrefs: 0065241C

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: DCBA
API String ID: 0-2222620526
Opcode ID: 8008211a04cd10efa300db7d4a70b051e377c7d38baadb32c628682428789c96
Instruction ID: a5a18581d6410a0d38bf4086ff03410bd0c4665e4f4530dd1068931f77fb6e7b
Opcode Fuzzy Hash: 8008211a04cd10efa300db7d4a70b051e377c7d38baadb32c628682428789c96
Instruction Fuzzy Hash: F72126B4708202AFD6288B10CC21B7B73E2EB97325F20853CF991962D0D370A8468B55

Function 00654587 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

DCBA, xrefs: 006545AC

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: DCBA
API String ID: 0-2222620526
Opcode ID: 9302b6d798fa519ebacd504206162ec7a4b4ddc42cce45d99f24747a2e7236f5
Instruction ID: 4104522478e06dbba5c5648ee142aa40ca00953b5cad856d9a0afe2d90b31b0d
Opcode Fuzzy Hash: 9302b6d798fa519ebacd504206162ec7a4b4ddc42cce45d99f24747a2e7236f5
Instruction Fuzzy Hash: 0211083560C240AFD7488F34944086FB363FF9271AF5568ACE84267210D732ED86CB89

Function 00656DF5 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

DCBA, xrefs: 00656E2C

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: DCBA
API String ID: 0-2222620526
Opcode ID: d364280f8d9cebd15d052ec604f4ff3c1d1f334e8dddc9af0034bae0b550afb5
Instruction ID: 20f7fde014e1bec018a158f352e4aa5fcfcc8db2e9b743b2eb01dea652278c88
Opcode Fuzzy Hash: d364280f8d9cebd15d052ec604f4ff3c1d1f334e8dddc9af0034bae0b550afb5
Instruction Fuzzy Hash: 5001C0743092409BD7148F05D89296FF3A3FBD9715FA4963CE98513B22C731AC06C79A

Function 00652175 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

DCBA, xrefs: 0065218C

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: DCBA
API String ID: 0-2222620526
Opcode ID: 4b62b845c74b88cbcf6a405a3ed733e45f8285cfb086d325566e7cd33cf5843f
Instruction ID: 5f49e656203d92a046b404c3392b2b39c5bbbb72dad85216245255e7fc2fd6ca
Opcode Fuzzy Hash: 4b62b845c74b88cbcf6a405a3ed733e45f8285cfb086d325566e7cd33cf5843f
Instruction Fuzzy Hash: C201D83464C6429BDB648B14CCA18BB7366EB8B719F20962CE75523161C3719C0BCB68

Function 0041B2AA Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

$(Ca, xrefs: 0041B355

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: $(Ca
API String ID: 0-3651910949
Opcode ID: f3dc78d55f9b7432d2cfe76f020a771e01dd59afd2f47eff987ab0c26e84f887
Instruction ID: a54c174fe026b402a79ebbd94ae73bc0dd6676e717bfd306ef8db5c792464231
Opcode Fuzzy Hash: f3dc78d55f9b7432d2cfe76f020a771e01dd59afd2f47eff987ab0c26e84f887
Instruction Fuzzy Hash: 7C1131301083819BCB199B25C811BBABBE09F97304F18486DF0D2D32E3DB398446C79A

Function 0064B511 Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

$(Ca, xrefs: 0064B5BC

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: $(Ca
API String ID: 0-3651910949
Opcode ID: 0f8dff1761e10723591c97eb50b01714baf8e604dc30931067c41af8978469a7
Instruction ID: 335d4852aec2b25022f58ee1000dc50d2710edc9262ea3e65b884bbadc057ba8
Opcode Fuzzy Hash: 0f8dff1761e10723591c97eb50b01714baf8e604dc30931067c41af8978469a7
Instruction Fuzzy Hash: 0011E2305082819BDB1D9F25D811B7ABBA19B97305F18556CF0D2D72E2C736C406C756

Function 0040CCC5 Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

nt, xrefs: 0040CCE3

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: nt
API String ID: 0-3989823987
Opcode ID: 8f23375f3ded1cedf8c2b6c586e19495486d9110ee2f26202b7f1334f42557fb
Instruction ID: 9a8167d43ed3aa6e80a9fffa86108335d32d45ce1e36d09d358efee2e21b3ab1
Opcode Fuzzy Hash: 8f23375f3ded1cedf8c2b6c586e19495486d9110ee2f26202b7f1334f42557fb
Instruction Fuzzy Hash: FA114876E163911BE314DB359C916EBB6E29B8A304F28853DD985D3382EA389811874A

Function 0063CF2C Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

nt, xrefs: 0063CF4A

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: nt
API String ID: 0-3989823987
Opcode ID: 0e4fefff73ff54b9173d3b710ddea33b2c913f44b34d81fcb527661f0bcde096
Instruction ID: 8f154020238de592efbe489514020032672401c5543627c9088d61f8d09f5959
Opcode Fuzzy Hash: 0e4fefff73ff54b9173d3b710ddea33b2c913f44b34d81fcb527661f0bcde096
Instruction Fuzzy Hash: DC114872A163910BE314CB749C812EBB2E3DFDA310F18853CD984D3382EA3889158789

Function 00426B95 Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

DCBA, xrefs: 00426BC5

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: DCBA
API String ID: 0-2222620526
Opcode ID: 46dae3eb64ecb0a1064fd8842b286c225d399b63ef32f03feab82d06fe954c76
Instruction ID: 8a75870b9544ae66542a2f01dc01a329589ad7ae4b69aae63c4df01bd4df3dd1
Opcode Fuzzy Hash: 46dae3eb64ecb0a1064fd8842b286c225d399b63ef32f03feab82d06fe954c76
Instruction Fuzzy Hash: 5BF062307082A08BD6148B15959156FF7A2FBDA724FA6963DD4C563611C778A802878E

Function 00652177 Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

DCBA, xrefs: 0065218C

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: DCBA
API String ID: 0-2222620526
Opcode ID: c171ce8634b65f3b72ab00d7978cc057f42bfaa1f1ed53675fa34d6148c0a6de
Instruction ID: 9b59c5d3a5ecd32bebdb59ef5d48b2c33b947c79d57847228b817cf310a000d8
Opcode Fuzzy Hash: c171ce8634b65f3b72ab00d7978cc057f42bfaa1f1ed53675fa34d6148c0a6de
Instruction Fuzzy Hash: FCF0A73864C7418BD7648B24C4E05BBB362EB5F71AF20666CC79667652C361C80BCF58

Function 00654845 Relevance: 1.3, Strings: 1, Instructions: 9COMMON

Download Yara Rule

Strings

1B, xrefs: 0065484E

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: 1B
API String ID: 0-3133059986
Opcode ID: 69e97c14f4ed033172b0ccdde43e2566b438f298db4027ca60a00f3aa6d6021b
Instruction ID: feb82d3cb2b59074027c1493192b546ba3eae4b1d552244d0f36b708172b85e9
Opcode Fuzzy Hash: 69e97c14f4ed033172b0ccdde43e2566b438f298db4027ca60a00f3aa6d6021b
Instruction Fuzzy Hash: AFB012A0D049404A80409F0058018B6B1384A07201F003020E408B3101D601F30041DE

Function 004245DF Relevance: 1.3, Strings: 1, Instructions: 8COMMON

Download Yara Rule

Strings

1B, xrefs: 004245E7

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID: 1B
API String ID: 0-3133059986
Opcode ID: 2531c2ca9f2b30d652056ca3a38abc3e59dd8791d8de977fd086c73412d3a232
Instruction ID: 9bf29452a11724580847962e139651c6fe04d03bd55b6731d135c2de1a5a4938
Opcode Fuzzy Hash: 2531c2ca9f2b30d652056ca3a38abc3e59dd8791d8de977fd086c73412d3a232
Instruction Fuzzy Hash: A7A022E8E0C20083C000CF00B802830F238830B30AF203030E80CF3203EA20F200820F

Function 006531AB Relevance: 1.3, Strings: 1, Instructions: 7COMMON

Download Yara Rule

Strings

70B, xrefs: 006531AB

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID: 70B
API String ID: 0-2582723656
Opcode ID: 3b137f54b60282bb78b724cbeb6a83ac7cf5062442489467fd4f716218ed2886
Instruction ID: f3676da94ab42f47244ed0b0df57d6e577ccfcf37e1cffb6cabbbc84becdf206
Opcode Fuzzy Hash: 3b137f54b60282bb78b724cbeb6a83ac7cf5062442489467fd4f716218ed2886
Instruction Fuzzy Hash: 55A00228E5C000869A08CF20A9516B1E2B95B6FA02F6134288005B7452D910D900851D

Function 004066C0 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 390256083507c346c3ab170ef3ee4bcd7811fc1c9c6ff3fc0891e8963b1bcf91
Instruction ID: 5ceb4989b1b86f645277271506dccbfdfc38913f66a9b4bce4754ff2b505bc7e
Opcode Fuzzy Hash: 390256083507c346c3ab170ef3ee4bcd7811fc1c9c6ff3fc0891e8963b1bcf91
Instruction Fuzzy Hash: 6B52D270A08B849FE730DB24C4843A7BBE1AB91314F15893ED5E7267C2C37DA995C71A

Function 00636927 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f6058685706a4b9884b74908391a19c10f0b4d6fdd3ae6168e92701922a9f3f
Instruction ID: c4a7bcc0e0557423d79dd31d44cb130bece293b6c86de205f7e979929127fcc3
Opcode Fuzzy Hash: 2f6058685706a4b9884b74908391a19c10f0b4d6fdd3ae6168e92701922a9f3f
Instruction Fuzzy Hash: FF52D6B0908B849FE735CB24C8843E7BBE2AF51314F148C6ED5E746782C379A985CB95

Function 00402F40 Relevance: .7, Instructions: 664COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e462e2d2b4d664232bddda86f707e6d7dfd7b7d18630e8fe4ab93a725646434
Instruction ID: 1fdbdd34fcc77c32b79dab7dd7279ebfb464f3e9845fc9dd6af1f60592f44fed
Opcode Fuzzy Hash: 3e462e2d2b4d664232bddda86f707e6d7dfd7b7d18630e8fe4ab93a725646434
Instruction Fuzzy Hash: 4D52F5715083458FCB15CF28C0906AABFE1BF89315F18867EF89967381D778E949CB89

Function 004074A0 Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7431acdf2bb0df9f5d64ac42b9b2a79ca823d03e3cbbd7ec7a0b21da91d18a0
Instruction ID: 16be905699757f58d08162ad6942cc9dbbe75419bc267803a287b0f1a35843ed
Opcode Fuzzy Hash: d7431acdf2bb0df9f5d64ac42b9b2a79ca823d03e3cbbd7ec7a0b21da91d18a0
Instruction Fuzzy Hash: BC12B472A087118BC725DF18D8806ABB3E1BFC4315F19893ED9C6A7385D738B8558B87

Function 00637707 Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7431acdf2bb0df9f5d64ac42b9b2a79ca823d03e3cbbd7ec7a0b21da91d18a0
Instruction ID: fb4e0978b98ecf2c1af3219b89c292759b8844d8f4bbaa4138fa7108afcdc310
Opcode Fuzzy Hash: d7431acdf2bb0df9f5d64ac42b9b2a79ca823d03e3cbbd7ec7a0b21da91d18a0
Instruction Fuzzy Hash: E312B0B2A0C7118BC735DF18D8806ABB3E2FFD4315F198A2DD98697385D734A911CB86

Function 00633BB7 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ddb25166d6e40877f6ccc7991eb95f166459aab1e500651e052a739ec97d630
Instruction ID: c14e3e882e7ce704525059d0f94dffc8b10c5ab89adafed0ecc19762c91dcc22
Opcode Fuzzy Hash: 1ddb25166d6e40877f6ccc7991eb95f166459aab1e500651e052a739ec97d630
Instruction Fuzzy Hash: BC321370914B218FC368CF29C58056AFBF2BF55710B604A2EE69787B90D736F985CB80

Function 0041E7F0 Relevance: .6, Instructions: 562COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c20ee7d1fd3c2e695e38734b33f15da7c2f123df62230dcde53f4cf05a35178
Instruction ID: b3da4d7c7a96eb8050c9bb065d93e430765124b9399a5d3bdf25a4dde5708ecb
Opcode Fuzzy Hash: 5c20ee7d1fd3c2e695e38734b33f15da7c2f123df62230dcde53f4cf05a35178
Instruction Fuzzy Hash: 96426CB0209B818ED335CB3C8815797BFE56B5A324F488A9DE0FA873D2C7756005CB66

Function 0064EA57 Relevance: .6, Instructions: 562COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c20ee7d1fd3c2e695e38734b33f15da7c2f123df62230dcde53f4cf05a35178
Instruction ID: 7204bfe7e1e4fca113f690a111e540cb9009b5bddeff79ae91c4dcfd76276307
Opcode Fuzzy Hash: 5c20ee7d1fd3c2e695e38734b33f15da7c2f123df62230dcde53f4cf05a35178
Instruction Fuzzy Hash: 3A426DB0609B818ED335CB3C8815797BFE56B5A324F488A9DE0FA873D2C7756005CB66

Function 0043B2A0 Relevance: .6, Instructions: 558COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a3eb2493ec6072f563b4a43c6dd7fa06ee7fa0786555908344024678f33f4c8
Instruction ID: 619ab9157ca1b6993641521b34ea85d27ffd347c23a9629e239e19e95e2472f3
Opcode Fuzzy Hash: 6a3eb2493ec6072f563b4a43c6dd7fa06ee7fa0786555908344024678f33f4c8
Instruction Fuzzy Hash: 8A02D139A18651CFCB08DF28E89062AB3E2FF8E315F19887DD58687362D734D951CB85

Function 00405940 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58d50c103683a0622ac3efb26b6d0f08941bf2fe4eed133c77c72c5fd33b865c
Instruction ID: 02d2229be3a83fbc5474e3e6ea086dcca113fe43498424369727b2d08b453b9d
Opcode Fuzzy Hash: 58d50c103683a0622ac3efb26b6d0f08941bf2fe4eed133c77c72c5fd33b865c
Instruction Fuzzy Hash: 30F1BE756087418FD724CF29C88076BBBE2EFD9304F08882DE5D997391E639E944CB96

Function 00635BA7 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76f7eb2ea2dd7941e95dbf1f07b72685953879e74b7f78573d97f49de11c20aa
Instruction ID: a10ce2a7934e944fe357bcfdae98f8fd69751608692786b9548d0a6e6775d516
Opcode Fuzzy Hash: 76f7eb2ea2dd7941e95dbf1f07b72685953879e74b7f78573d97f49de11c20aa
Instruction Fuzzy Hash: 16F1AB35608B418FC724CF29C881A6BFBE2AF98300F08992DF5D687351E775E945CB96

Function 0043B3B0 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2814d3387f372cfb679141b86895ccb55011b0c0770ed3df30f2cb10803b1e71
Instruction ID: 9f05b8717927bfe081b226af8366e1f479208401903af2522477c2fa3b49ff04
Opcode Fuzzy Hash: 2814d3387f372cfb679141b86895ccb55011b0c0770ed3df30f2cb10803b1e71
Instruction Fuzzy Hash: ECD1E239618651CFCB04DF28E89062AB3E2FF8A315F19887DE58687362D734D952CB45

Function 004145C0 Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e929426a73862a706dfe3d3f7cc2da94dfecf917f41e33b4f1cb58fdc9ed8d
Instruction ID: 02fd4fa9980e09b6558b7590cc68c19f32c7e0874a13dff60b885ecba6b80fed
Opcode Fuzzy Hash: 41e929426a73862a706dfe3d3f7cc2da94dfecf917f41e33b4f1cb58fdc9ed8d
Instruction Fuzzy Hash: 4FA13576A043148BD714DF28D8527B7B3E1EFC6324F09952EE8928B391E738D945C3A6

Function 004275F8 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c519d9c627b4595f1583d0e4d9a0ec6692d6ec3fd7c8734c4bb7c58a73b907e
Instruction ID: 9684edbc60ad25b07fabf49457400b183a379ec8f8ed874d5a95084147ac84c7
Opcode Fuzzy Hash: 8c519d9c627b4595f1583d0e4d9a0ec6692d6ec3fd7c8734c4bb7c58a73b907e
Instruction Fuzzy Hash: 9CB1CDB560C311CBD7149F14D86262BB7F1EF82719F14992DE4C58B3A1E738DA04CB5A

Function 0043B4C0 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 748d77be68dbed454b99448a710467721dd9b0b8a5f0301d51306122a3b9dbce
Instruction ID: ca4072f33ede6b58a719244015b96b67fd492effa00181aab41bb51913a161a0
Opcode Fuzzy Hash: 748d77be68dbed454b99448a710467721dd9b0b8a5f0301d51306122a3b9dbce
Instruction Fuzzy Hash: A1B1D039618651CFCB08DF28E89062AB3E2FF8E315F19887DE58687362D734D951CB85

Function 0041CD60 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47bdd86f9149c78e8931a02de7ed9d56138aef0559dfde390388fb0a4284f46e
Instruction ID: 2d32b6a3528814d4c24523c73119158def0aab2ae49429046858fb794448a504
Opcode Fuzzy Hash: 47bdd86f9149c78e8931a02de7ed9d56138aef0559dfde390388fb0a4284f46e
Instruction Fuzzy Hash: 03B12675904300BFDB109F24DC81B5ABBE2FFD4358F148A2EF498932A1E7369D568B46

Function 0043B5E0 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc074c2afe1ff7d659b630ad2b767ddd9ccfed7b811b4107a636614e8c8c324
Instruction ID: 3a1a83d4efd51957a2e2f7f6508c353d15e26a0027bcf7f6379fc93d107fcd8f
Opcode Fuzzy Hash: 3bc074c2afe1ff7d659b630ad2b767ddd9ccfed7b811b4107a636614e8c8c324
Instruction Fuzzy Hash: 5DA1AB35618741CFC708DF28D89062AB7E2FB8A314F29896DE58A87352D735D942CB86

Function 0043C990 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9105eb86e3a3e9f22760ab7743cde2649f61924a560d87c3f2c67a395fb4192e
Instruction ID: 74d931ab855a48af746ba0e3dc3892a10fca20c4ecf4284ffac6787a2b03bbec
Opcode Fuzzy Hash: 9105eb86e3a3e9f22760ab7743cde2649f61924a560d87c3f2c67a395fb4192e
Instruction Fuzzy Hash: 229103356083519BC728DF28D8D1A2BB3E2FF8C300F15A92DE986AB355DB75AC41C785

Function 0066CBF7 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cffb0324b437366b1dc2ca8f828a0d4a61a01ac5f630ec83a72bfe46ad56f82
Instruction ID: 0dcc8469a7649c91cfced51e2ec4d77be955b641d9108d9a069447ab19f489e2
Opcode Fuzzy Hash: 0cffb0324b437366b1dc2ca8f828a0d4a61a01ac5f630ec83a72bfe46ad56f82
Instruction Fuzzy Hash: B491BC35608B519BCB28DF28C89097AB7A3FF88320F19896CE9D59B355DB31AC41C791

Function 0043B550 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a97dccba120d0cf21dc366213ac1d53d25d3e0baa9a4364dce39a263ecbff5
Instruction ID: 513164955bcd0ca0d6743cdfb707a289577f0e9117d017d40f3d683849b1776c
Opcode Fuzzy Hash: b4a97dccba120d0cf21dc366213ac1d53d25d3e0baa9a4364dce39a263ecbff5
Instruction Fuzzy Hash: 79A1E139618251CFCB08DF28D89062AB3E2FF8E314F29897DE58687352D735D952CB85

Function 00406230 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5605cae5b1bda8ad3a4cf5cb71b2aea22018d0d7e53cffc64163186733435116
Instruction ID: eb4bfc3efdb46786f2e6bebf935458a3fcec0c4f1143b4373b6fc09339c11b48
Opcode Fuzzy Hash: 5605cae5b1bda8ad3a4cf5cb71b2aea22018d0d7e53cffc64163186733435116
Instruction Fuzzy Hash: B0C15D729487418FC360CF28DC867ABB7E1BF85318F09492DD1DAD6342D778A155CB46

Function 00636497 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5605cae5b1bda8ad3a4cf5cb71b2aea22018d0d7e53cffc64163186733435116
Instruction ID: 62604306b7d6ba45aad9c98e7b5037de14732242d9332884c0bc456a7bc86169
Opcode Fuzzy Hash: 5605cae5b1bda8ad3a4cf5cb71b2aea22018d0d7e53cffc64163186733435116
Instruction Fuzzy Hash: 9BC15DB2A087419FC360CF68DC96BABB7F1AF85318F08892DD1D9C6342D778A155CB46

Function 0043C6A0 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2a31fdb7387a1041ea861772b653f65771b6883603e056eadc3aaab5946a93d4
Instruction ID: c07933878babe71f3ccc4ba8684601a0ec1b95e7ac8a20c0172c4066b999b2d0
Opcode Fuzzy Hash: 2a31fdb7387a1041ea861772b653f65771b6883603e056eadc3aaab5946a93d4
Instruction Fuzzy Hash: 8681E1352083029BD724DF28C891A2BB3E2FFC9710F15A52DE9859B351EB34EC51CB89

Function 0066C907 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00dea45d259ce2468cc2097ee2cf2e19da0f5be70b7912efa2404b71ee56a079
Instruction ID: a00c4a54c2370cff264ec0caf321cc15d9c54566a4cb1fc1a7d33b78d6ee81a4
Opcode Fuzzy Hash: 00dea45d259ce2468cc2097ee2cf2e19da0f5be70b7912efa2404b71ee56a079
Instruction Fuzzy Hash: 9381AE35208A029BD724DF28C89197BB3E2EFD9720F15856CE9C58B351EB70EC51CB91

Function 00434AD0 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d51b7f19852cb98f9319ef847b503ad5ee0d04e85e6670b6974c824828583a6e
Instruction ID: 21f4277e489b25c4b6297c542707cfb0cb85732d2b39f996b935debf0f516e07
Opcode Fuzzy Hash: d51b7f19852cb98f9319ef847b503ad5ee0d04e85e6670b6974c824828583a6e
Instruction Fuzzy Hash: D9B14F31A087918FC715CA7CC8457EE7FA29B9B220F1D839DD4A69B3D2C529A807C761

Function 00664D37 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd11b81172b219e95d5519139b0b4353259f3d40dfd7e4b7358cbd790dc4f135
Instruction ID: 3c1ffb1f4cf29f6812085b7a5b0ac381004734a30a775cba3d48a2e5ab552906
Opcode Fuzzy Hash: cd11b81172b219e95d5519139b0b4353259f3d40dfd7e4b7358cbd790dc4f135
Instruction Fuzzy Hash: EAB13B31E087918FC715CA7CC8856EE7FA39B57320F1D829DD4A69B3D2C52A9807C7A1

Function 00438110 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5175e618b425401ac172ae18a9074802b25c8ccbb770cd0250c69764821831da
Instruction ID: cd3a14b23a336ab25a610646b4f3d7f742152bf915ff5ca9d04d50eb20acef89
Opcode Fuzzy Hash: 5175e618b425401ac172ae18a9074802b25c8ccbb770cd0250c69764821831da
Instruction Fuzzy Hash: 997159367083004BC7189A28CC8176BF7D2FBD5714F1D967EE8859B391DA796C06C789

Function 00668377 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa69f65447dda1ffe03ab89c33424245553a3914c13c366c4049f3a0b0f027b1
Instruction ID: 9845a84d2abcd46c8ddbf0231d11f533f114e8f10f986e3ab35259c40fde7719
Opcode Fuzzy Hash: aa69f65447dda1ffe03ab89c33424245553a3914c13c366c4049f3a0b0f027b1
Instruction Fuzzy Hash: 857155767083004FC7288A38CC816AAB7E3EBD1314F2EC67CD5859B391EA75AC02C795

Function 0043C410 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f3dc16ecd7b4448801eac76fdb4f7a0424f660b866e84764e2ae5dcb335037c0
Instruction ID: 0cd67a1d4c463cf7bb1a6f2e51dfe691ed7b3697112ccb1748d151158b469d2c
Opcode Fuzzy Hash: f3dc16ecd7b4448801eac76fdb4f7a0424f660b866e84764e2ae5dcb335037c0
Instruction Fuzzy Hash: A56136356083119BCB149F28C891A7FB3E2FFD9350F15A92DE48597361EB34E851C789

Function 0066C677 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb58a145ff4770c586b77aaf7290c49a4124742f7d0c84271d59591087f2c90b
Instruction ID: 0e82c9e28b19afe2123a852195d1213edc8d5b92a3bb0d00638e944e8013db0f
Opcode Fuzzy Hash: eb58a145ff4770c586b77aaf7290c49a4124742f7d0c84271d59591087f2c90b
Instruction Fuzzy Hash: C26113346087419BCB249F28C850A7FBBE3EFC5760F15856CE8C587260EB30A851CB95

Function 00408FE0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee99c97f6f89cf30c3feef9581b9004457b133a689d45e6388639d76d7a6940e
Instruction ID: 14eed3b193b92f7bd7c91c1a12cb5a7423ebfd5753331b59b2878284fe61ec2b
Opcode Fuzzy Hash: ee99c97f6f89cf30c3feef9581b9004457b133a689d45e6388639d76d7a6940e
Instruction Fuzzy Hash: F971053124C3C28AD3119F7984903ABFFE0AFA2304F08597DE4D49B386D7798919D766

Function 00639247 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee99c97f6f89cf30c3feef9581b9004457b133a689d45e6388639d76d7a6940e
Instruction ID: 677b8c5f3483e93d6e790dc8742099785047ebbfee508cc2cff2cc30d73f5ae1
Opcode Fuzzy Hash: ee99c97f6f89cf30c3feef9581b9004457b133a689d45e6388639d76d7a6940e
Instruction Fuzzy Hash: 6271157164C3C28ED3119F7984D07ABFFE1AFA2304F08556DE4D18B342D3A9851ADBA2

Function 0042E440 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18dc34ae9a606a1da8fb6243ebac13852137b570fb580b94def7ef54e059c2e7
Instruction ID: 321a41b0e24768df93993f45ec39ff26ec6abcd782719345d1c535d6020f9ee2
Opcode Fuzzy Hash: 18dc34ae9a606a1da8fb6243ebac13852137b570fb580b94def7ef54e059c2e7
Instruction Fuzzy Hash: FE715622B59AF14BC318593D5C212AABA834FD6334FADC37EA9F18B3E1D5598C068345

Function 0065E6A7 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18dc34ae9a606a1da8fb6243ebac13852137b570fb580b94def7ef54e059c2e7
Instruction ID: 2ec7731d792eba3ba27532608042e6c5813fde3cae63b3ba7034a06ff59deb9e
Opcode Fuzzy Hash: 18dc34ae9a606a1da8fb6243ebac13852137b570fb580b94def7ef54e059c2e7
Instruction Fuzzy Hash: 99712A27B59A914BD72C493C4C213A9AA834FD6331F2DC37EE9F58B3E5D51A4D0A8340

Function 0042FD60 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a59191fe466e87ea392e17c001d7f114284416eb859047ee4e189d9d42fcda35
Instruction ID: 7a38c4d14191e423d518bcd012fcfe6135c3ceb1f89b606c91b16954ab462f1c
Opcode Fuzzy Hash: a59191fe466e87ea392e17c001d7f114284416eb859047ee4e189d9d42fcda35
Instruction Fuzzy Hash: 46712933B599A14B932C893C5C62266B9934BD72347AEC37FE5B1C73F5D96C480A8348

Function 0041D170 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 300e2a16f2aa471d5cf9c35f9543d1f41723d5b77572bb696f02dc22411e4e29
Instruction ID: fafc8b41128148528121a67710092d43837a77869dcd5a4b7325ff8bb9b2a2ab
Opcode Fuzzy Hash: 300e2a16f2aa471d5cf9c35f9543d1f41723d5b77572bb696f02dc22411e4e29
Instruction Fuzzy Hash: 22610A73F4958047E328893C4C512AABA934FD2234F2DC7BEE9F5873E5C56988458346

Function 0064D3D7 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 300e2a16f2aa471d5cf9c35f9543d1f41723d5b77572bb696f02dc22411e4e29
Instruction ID: e20ca124ef5bddedaeff0fa00809a974781431b6963ac5090b0ca3a43e274570
Opcode Fuzzy Hash: 300e2a16f2aa471d5cf9c35f9543d1f41723d5b77572bb696f02dc22411e4e29
Instruction Fuzzy Hash: 33610733F596804BE729893C5C212AABA934FD6234F2DC77DE5F5873E1C965880A8341

Function 00657873 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7b8c690abf2efb454dae1f3dbf547b0327283a0684116c7804c5d8ca76ee694
Instruction ID: 19934d85eaf9bce66320f6d43fc3343fb6da86313004abfd84a780cd0a536f0e
Opcode Fuzzy Hash: e7b8c690abf2efb454dae1f3dbf547b0327283a0684116c7804c5d8ca76ee694
Instruction Fuzzy Hash: 1551697110C3018FD714DF24D862AABB7E2EF92715F04991CE8D69B791E334CA09DB5A

Function 00439140 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c4fdf97a2f1a179d9e674d41816b876a5a1ec115cd740e6f1111616f76577ff
Instruction ID: 790f180e8d4a6f5c1ef5855a9cf66029b52f87d90570feadd83e32b30a7b9a35
Opcode Fuzzy Hash: 1c4fdf97a2f1a179d9e674d41816b876a5a1ec115cd740e6f1111616f76577ff
Instruction Fuzzy Hash: 8471C77160C3428FD715CF28C49062EBBE2AFC9314F188AAEE8D58B392D675DC41CB56

Function 006693A7 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db1671da8b689c3d5195a3090a162cbeb7993de7ad31a143eb061ca5b2ebe63a
Instruction ID: 3b0d33565d0aa233f048ec5f02637408c02582952ea62406fb663201c9749834
Opcode Fuzzy Hash: db1671da8b689c3d5195a3090a162cbeb7993de7ad31a143eb061ca5b2ebe63a
Instruction Fuzzy Hash: 9871C37160D3518FC315CF29C49066EBBE6AFC5314F188AADE8D58B352DB35D842CB62

Function 0041D4B0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4fed3f0ba83135604789746c5e92f042240db01558bdd2702fb766c9ccdb92
Instruction ID: 804195c8b1f9a977300dfb6ed4e56dd22b4087539773d87b635c909f9b7ebc4a
Opcode Fuzzy Hash: 7d4fed3f0ba83135604789746c5e92f042240db01558bdd2702fb766c9ccdb92
Instruction Fuzzy Hash: 2F51E473F159808BD7188D3D8C112EA6A531BE7334B3E837B99B58B3E5C62A8C468355

Function 0041A790 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc8c0ecc0da0eced31d3500927d73d3a40b888f2ec8c29f7fef54cba9e22d4b6
Instruction ID: cb991a55680070318c7d0b3c79711b513c51a95225e1ecc1281be0889af13ba2
Opcode Fuzzy Hash: cc8c0ecc0da0eced31d3500927d73d3a40b888f2ec8c29f7fef54cba9e22d4b6
Instruction Fuzzy Hash: 07513833A6A9814BE328893C4C502EA7A930BD3330F3DC77AD5B4873E4D5698C97435A

Function 0064A9F7 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc8c0ecc0da0eced31d3500927d73d3a40b888f2ec8c29f7fef54cba9e22d4b6
Instruction ID: ebb211a47cc1fb70569a924ccbd36585098410e483683356d80ba0874d8599cb
Opcode Fuzzy Hash: cc8c0ecc0da0eced31d3500927d73d3a40b888f2ec8c29f7fef54cba9e22d4b6
Instruction Fuzzy Hash: 16513433F9A9814BE32889BC4C502AA7E834BE7330B3DD7B9E5B5873E4D5654C069352

Function 004282E8 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74f69f23d04b8d3363161613e04029a9dd53a912bd554f0e8a5a3837446c2789
Instruction ID: 926b0f658338236115fec19bad7f90239f3caae2bc3b57b709916a7c7eb54a4e
Opcode Fuzzy Hash: 74f69f23d04b8d3363161613e04029a9dd53a912bd554f0e8a5a3837446c2789
Instruction Fuzzy Hash: 4961E0B1A413669FDB44CF68DC82A9ABF30FB06310B1542A9E450AF352C734C442CFD5

Function 0065854F Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74f69f23d04b8d3363161613e04029a9dd53a912bd554f0e8a5a3837446c2789
Instruction ID: e92dfe52a4f1fa379c47de99f358f65ec9f37e1fbf314f09f66d5a63b4bf95db
Opcode Fuzzy Hash: 74f69f23d04b8d3363161613e04029a9dd53a912bd554f0e8a5a3837446c2789
Instruction Fuzzy Hash: 0161D0B1A413669FD744CF68CC82AAABF31FB06354B1542A8E854AF752C734C442CFD5

Function 00434870 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e168b79f61548e1623c39d89a8750a3322975b5e6821bc4d28b4c5b4afa9f4b
Instruction ID: 4b721b9351200411affedd0fe1460c26ece020c84106155a22f403e348d89d81
Opcode Fuzzy Hash: 1e168b79f61548e1623c39d89a8750a3322975b5e6821bc4d28b4c5b4afa9f4b
Instruction Fuzzy Hash: 05517DB15087548FE314DF69D49435BBBE1BBC8318F044A2EE4E987350E379DA088F86

Function 00664AD7 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e168b79f61548e1623c39d89a8750a3322975b5e6821bc4d28b4c5b4afa9f4b
Instruction ID: 91da02d715ebdb994f305e3e7a70f590848c841405aef12dadde33ca81cdaca8
Opcode Fuzzy Hash: 1e168b79f61548e1623c39d89a8750a3322975b5e6821bc4d28b4c5b4afa9f4b
Instruction Fuzzy Hash: C4514CB15087548FE714DF29D49475BBBE1BBC4314F044A2DE4E987350E77ADA088B82

Function 004029D0 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b86555ce2a695d0511db9aff25f2c561b64c1b68d1782900c463b72642fbea
Instruction ID: 9a6b9e8a26fb0f3bc84429a8fb07d45c664269e9ebb10f82827b0a9ce94155c9
Opcode Fuzzy Hash: 23b86555ce2a695d0511db9aff25f2c561b64c1b68d1782900c463b72642fbea
Instruction Fuzzy Hash: C1410B32B0827147CB188E2D8D9417ABAD75FC5205F0EC63AFCC5AB7D6D578990097D4

Function 00632C37 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b86555ce2a695d0511db9aff25f2c561b64c1b68d1782900c463b72642fbea
Instruction ID: cff1639cc14f2d7412ce89b65060a7e95ca67c4011ee0c80454bd4d4cf26fcca
Opcode Fuzzy Hash: 23b86555ce2a695d0511db9aff25f2c561b64c1b68d1782900c463b72642fbea
Instruction Fuzzy Hash: 0641B332B0827647CB188E2D8CA027EBAD79FC5209F1EC679ECD99B796D174890097D0

Function 0042B771 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 903ef91e967a0d62a4c8ea8cf3112483b0a371131d01f03f766f21ce1a984c77
Instruction ID: 5c657de7f26490f95fdc6555e03d0d8e02ef097c67437bfc1f9f76acc00ffa76
Opcode Fuzzy Hash: 903ef91e967a0d62a4c8ea8cf3112483b0a371131d01f03f766f21ce1a984c77
Instruction Fuzzy Hash: 9441AF7094C3D28BC7368F2498207BBBFE4DFA6304F0409ADC5D997242D73945468B9A

Function 0065B9D8 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08fd72794bf92c42e0628dc9e11c29981845269d0ccc9d1bad35dd447571b562
Instruction ID: 48f3f391c4330af5486668b24fb22f0f0198dea0c63e7a1abd67106e8137bb0a
Opcode Fuzzy Hash: 08fd72794bf92c42e0628dc9e11c29981845269d0ccc9d1bad35dd447571b562
Instruction Fuzzy Hash: 4741CF7044C3C28BC7768F248820BFABFE1DFA6205F0419ACC8D997242D776454ACB66

Function 00645663 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecee6f15410c13631d7c5c80effdd0437fc7aa8527b12d00213042285622b0c9
Instruction ID: 0d560e293867d87914ecc5096cf089beb539e16df3c6ba9538b0715a5218f069
Opcode Fuzzy Hash: ecee6f15410c13631d7c5c80effdd0437fc7aa8527b12d00213042285622b0c9
Instruction Fuzzy Hash: 9F31F471A09740CFD7208F14C89569BBBE6FFD6314F188A2DE0DA8B7A1D7788801CB52

Function 00655907 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9433e60035ba4c9306ed9e0aa2f5c2921af3a1801f73c3913cadd04d8984d3d7
Instruction ID: 8b4df1429f59d5773ef37b739f22d5b647da20b6ca50d508e450cc8a5c28df1c
Opcode Fuzzy Hash: 9433e60035ba4c9306ed9e0aa2f5c2921af3a1801f73c3913cadd04d8984d3d7
Instruction Fuzzy Hash: 2041E7B290C3908BC728CF25895279FBAE2EBC2304F099A6CD4D99B351D7389505CB47

Function 0064503C Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b8bf2e9819eb87572bb81ccb0d4d674af6c873cf630eceefd1d356f3448c08a
Instruction ID: f7cefca63bbfaecd2bc619ff476535338887bd04200f311abc0fede8e90033db
Opcode Fuzzy Hash: 5b8bf2e9819eb87572bb81ccb0d4d674af6c873cf630eceefd1d356f3448c08a
Instruction Fuzzy Hash: 4F213A79A0CB498BD324FF65D8416AA77D2EBA6305F08947CC08787622E774DC01CA86

Function 00645064 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79cc50ef8cb8204e2310da8605f7ecbe597735a00937cee692f679b6252ba6fb
Instruction ID: 0d5c8c7021b0fdee3f01d6ab2db80b7632ec5ad57bac481da596b4b7aa65da79
Opcode Fuzzy Hash: 79cc50ef8cb8204e2310da8605f7ecbe597735a00937cee692f679b6252ba6fb
Instruction Fuzzy Hash: 0D21E57960C7488FD314EF65D8416AA77D2EBAA304F18947CD18683622E734D905CA46

Function 0066B987 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f6ad7d9c34e7ea356eb3540795efbc1ab240de763d2a8bf3d96e86f7d4d8a92
Instruction ID: dc80c6f481c381cb9d11f854b9971c4ac8223b150531cc469161fc9d4c665147
Opcode Fuzzy Hash: 0f6ad7d9c34e7ea356eb3540795efbc1ab240de763d2a8bf3d96e86f7d4d8a92
Instruction Fuzzy Hash: 0621362060C7818BC318DF7844A153BFAD6DF9E320F199A3DD596DBA91EB28EE418744

Function 006669D7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ae1ecbdd5ccb704cb593e8af954e716b6d7fc6c9e0ea1c3bdec56e73eb41192
Instruction ID: 52e17a6979517563213786bcf96cfa130bfef6dd27424a37455690fa1ad5a9f2
Opcode Fuzzy Hash: 2ae1ecbdd5ccb704cb593e8af954e716b6d7fc6c9e0ea1c3bdec56e73eb41192
Instruction Fuzzy Hash: 2421A53861435B8BCB24DF68D4806BEB3F2FF88B40F55C46DE88057224EB34AD659725

Function 00408A50 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aec68d1cb419c89565ea5824c88c8953c25aeeb2aa4d373872804785ba67db2
Instruction ID: 30c4168b9de1aa88309de4f0fa0d616f59544a5b9bd3e046015339af948f82e3
Opcode Fuzzy Hash: 8aec68d1cb419c89565ea5824c88c8953c25aeeb2aa4d373872804785ba67db2
Instruction Fuzzy Hash: 3B21A1379A2B284BD3108EA4DCC57913295E795328F3D86B98934AB3D2D97F9D0346D0

Function 0066A194 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c62428bf491b5cd3d65664c4b7e8c3e1a720bb021bcf12caf915044435b2f81
Instruction ID: 550820dd194bbc8aebfaa37297a8ba701b50406fe0bac9192e0ab2a0be13e2e7
Opcode Fuzzy Hash: 6c62428bf491b5cd3d65664c4b7e8c3e1a720bb021bcf12caf915044435b2f81
Instruction Fuzzy Hash: 7A21F136A505119BDB248F58CC52BB9B3B3FB86310F28D264D460BB298DB75AC028B84

Function 00638CB7 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aec68d1cb419c89565ea5824c88c8953c25aeeb2aa4d373872804785ba67db2
Instruction ID: 5de734425d1fc990d69c5224cccfff55b91c13d3deccd0f0f4f798e1e272ef69
Opcode Fuzzy Hash: 8aec68d1cb419c89565ea5824c88c8953c25aeeb2aa4d373872804785ba67db2
Instruction Fuzzy Hash: 512191779A27144BD3108E64D8857913295E79532CF2D86B889349B3D2D97F9D0386D0

Function 0043A35B Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fa11c3f533b8eba760b25f0fb583a2543553b87029177c7212ae4619e256edf
Instruction ID: 319dea69129caf743b3be47d61f7b803c4b4f15ce93bdd553d01b9543d361ed5
Opcode Fuzzy Hash: 6fa11c3f533b8eba760b25f0fb583a2543553b87029177c7212ae4619e256edf
Instruction Fuzzy Hash: F4112934691A008FD769CB34DCA0AA737D3E79B310708D43CC082DB319D639D8139654

Function 0066A5C2 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fa11c3f533b8eba760b25f0fb583a2543553b87029177c7212ae4619e256edf
Instruction ID: b5671aa897fa63c56a04dcae5ec14e81ab37682a64fb3d5e7945cfe8accbe32c
Opcode Fuzzy Hash: 6fa11c3f533b8eba760b25f0fb583a2543553b87029177c7212ae4619e256edf
Instruction Fuzzy Hash: A1112534651A008FE769CF34ECA0EA737D3E79A214708D47CC042DB319D639E803DA14

Function 00402B90 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b47b3b87f24bf36e1815b4704a109b377dfb0146f8b33a2d13de1756e8a05215
Instruction ID: 0df1de46acb0cf65b8b5c8fb05c5283745532909b01a0f1a82a34596878673d8
Opcode Fuzzy Hash: b47b3b87f24bf36e1815b4704a109b377dfb0146f8b33a2d13de1756e8a05215
Instruction Fuzzy Hash: 7511C437B2962207E350DE66DCDC61B6352EBC531071A0535EE45E73C2C6B5FC02D1A4

Function 00632DF7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b47b3b87f24bf36e1815b4704a109b377dfb0146f8b33a2d13de1756e8a05215
Instruction ID: c008e9dbbbd150b0b7ccdbbdd89e1fd3832a7d487ee0f4a32a6e4470e9999aa2
Opcode Fuzzy Hash: b47b3b87f24bf36e1815b4704a109b377dfb0146f8b33a2d13de1756e8a05215
Instruction Fuzzy Hash: 4411C177F2563207E350DE76ECE965A6793EBC5710B1A0534EE42C7342CA32EC02D2A0

Function 0040C37A Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a0276c381715b2945f99c7dc68deaacbe48c6f20340770ea694c49548a2fdaf
Instruction ID: 5f0d0020cb13dd4835fa5de00ff150a82e71919640a4629c9d6ebba50eb82aa9
Opcode Fuzzy Hash: 3a0276c381715b2945f99c7dc68deaacbe48c6f20340770ea694c49548a2fdaf
Instruction Fuzzy Hash: 9221383239C3455FE3289F68ACC179B7693EBC7200F28953CD58597395DAB49401864A

Function 0063C5E1 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a0276c381715b2945f99c7dc68deaacbe48c6f20340770ea694c49548a2fdaf
Instruction ID: d9ac79612e9d7b85eff578c54224dd06d593082b39b0574fde408d2831b28733
Opcode Fuzzy Hash: 3a0276c381715b2945f99c7dc68deaacbe48c6f20340770ea694c49548a2fdaf
Instruction Fuzzy Hash: 6C21383239C3855FE3289F68ACC279B7693EBC7200F28943CD18497355DAB09401C74A

Function 00644EB5 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7151ad882553f70474f0ac93b20907c905d09cc11fa36d9f59300a31a4a7befd
Instruction ID: 21265962f2030f5541ae3bc92c95c0c3348ce7d191aa5ebe1beb43f99631687a
Opcode Fuzzy Hash: 7151ad882553f70474f0ac93b20907c905d09cc11fa36d9f59300a31a4a7befd
Instruction Fuzzy Hash: F711047960C7049BD314EF65DC41A6AB7E2EB96304F14D83CE48687222E330EC51DB46

Function 0042F9F9 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fd3ba815e545802793895d0d3e6e113598bd4355775120722e9295541b527cf
Instruction ID: ebc889678609695a6549e626b9126ec4cf63e01cd8f6bf469e4a46f5b6b1cadb
Opcode Fuzzy Hash: 9fd3ba815e545802793895d0d3e6e113598bd4355775120722e9295541b527cf
Instruction Fuzzy Hash: 1421FAF0900B01AFD360EF39C906757BEF8EB49354F108A1EF4AA87691D371A5448BD6

Function 00432770 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: e33911fe9070215d35ca5e51225649dc2275d76c858c1e42cbf454372d559ea6
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 6C114C33A081E00EC3168D3C8500566BFA32A97634F1D539AF4B49B3D3D7278D8B9369

Function 006629D7 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 82e4314b6d98508528875291420d9b7e82d77c828e7d8a47bbec76060ad0b879
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 4211C633A055D54EC3268D7C88105A5BFA30B93335F1D83D9F4B89B2D2D6228D8B8350

Function 00428AF0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe1456515a9edc830b27937bd2ea67c7b0c014683399f621d5d944aff22c083c
Instruction ID: c50ce8cf9c5f9d345d43c63e05a9bff61589088a4a1618f9609e7476a1dc71ea
Opcode Fuzzy Hash: fe1456515a9edc830b27937bd2ea67c7b0c014683399f621d5d944aff22c083c
Instruction Fuzzy Hash: EF019EF1B0231247D7209E11A4C1B2BB6A86F94748F58443EE80967342DFBEFC05C29A

Function 00658D57 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7535f05dd4a46175debc66e07d30e994eec52d99248e542143134986f6c7e401
Instruction ID: c7f66c8578dc7fd55b18e86bbb7cb5195f65dd1cbad883a91cd69d3e088f2cc9
Opcode Fuzzy Hash: 7535f05dd4a46175debc66e07d30e994eec52d99248e542143134986f6c7e401
Instruction Fuzzy Hash: AB019EF1600B414FE6A09E1084C1BABB2FAAFA0701F18462CED1567B81DF66EC0986E5

Function 0040C2DA Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 967e6cb9ea21bc44fcd4b8d920d1a98461da43aa88d1223373553775f3b866f5
Instruction ID: 48cd2bf5a38dda26d43492ad7cd4619b8b65fe667581452ef5a3b5f5612d356d
Opcode Fuzzy Hash: 967e6cb9ea21bc44fcd4b8d920d1a98461da43aa88d1223373553775f3b866f5
Instruction Fuzzy Hash: 0B01D27AB582048BE3448F75ACC13BBB792E7C2211F15E03DE48693295DD74E9469609

Function 0063C541 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 967e6cb9ea21bc44fcd4b8d920d1a98461da43aa88d1223373553775f3b866f5
Instruction ID: 2f844e2b1cfd035be97c2c0005e51536dab714626b3c240a7b806171e6634f18
Opcode Fuzzy Hash: 967e6cb9ea21bc44fcd4b8d920d1a98461da43aa88d1223373553775f3b866f5
Instruction Fuzzy Hash: 8B01D27AB582008BE3448F75ACC13BBB7A2E7C2221F15E03DE48683294DD74E9468709

Function 00439DD7 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76fd8bc342387add2a092c5241631615185f55dff440682e140d6b8b38744bd4
Instruction ID: ee3202f4c7b97d86cec6d154009762f68b7b73f0fade54c8394ff9d3109274f1
Opcode Fuzzy Hash: 76fd8bc342387add2a092c5241631615185f55dff440682e140d6b8b38744bd4
Instruction Fuzzy Hash: 5F01A93BE91B209BC3244FB8DDC226BEBE1EB59315F1D567EC981AB741C15C9C014794

Function 0066A03E Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76fd8bc342387add2a092c5241631615185f55dff440682e140d6b8b38744bd4
Instruction ID: e53badc5a422bb915aad839d015ce0ad4aec52a2797e967f38324c9f52f3f19e
Opcode Fuzzy Hash: 76fd8bc342387add2a092c5241631615185f55dff440682e140d6b8b38744bd4
Instruction Fuzzy Hash: F901F93BE91B209BC3244FB8DDC22AAE7E1EB54315F1D567DC981BB741C15C9C014B94

Function 00630D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 4e22ff19d84ff57596d9aa5f73c4e7c363ef0844f3d0a7dee64623f48e534a4e
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 0201A276B006048FEF21CF64C814BEA33EAFF86316F4544E5D90A97381E774A9498BD0

Function 0063B47C Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 986f956007d6aafca7d0f506bf3a26b902124ae92ef9fa45c3e426e617fbfc65
Instruction ID: a641a0b29ad7a628bce6b4fa11aabd325400e3a5c4ce905edb5c0a2ee31885cb
Opcode Fuzzy Hash: 986f956007d6aafca7d0f506bf3a26b902124ae92ef9fa45c3e426e617fbfc65
Instruction Fuzzy Hash: 03D06275C01641DBC7616F689C0171579F6AF93301F1660B5D414A3125EB714190961B

Function 00420273 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26bc815a613c1751be835ce015be72e18a4da537f3dbe6440cfc7d58633fbcab
Instruction ID: 46708560f6ca2d1dc46b348cf292d49f35cc9a01d59c3a157677fa6b0df29c1c
Opcode Fuzzy Hash: 26bc815a613c1751be835ce015be72e18a4da537f3dbe6440cfc7d58633fbcab
Instruction Fuzzy Hash: ECB092A9C0A5118AE1222B123D028AAB0241A13348F182036E80632246AAAAF21A41AF

Function 006504DA Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1c23e50ad28876e9d6d9af8189836815a17b9e84eeeb60cf8c7bb29be7b25b4
Instruction ID: ac3586996f8509e31fb69d27cfb881e8c8dcb61d8e7bd821bc9347dc347533ae
Opcode Fuzzy Hash: c1c23e50ad28876e9d6d9af8189836815a17b9e84eeeb60cf8c7bb29be7b25b4
Instruction Fuzzy Hash: 0FB092B1C02D548EA1A22B102D028EBB0261E93300F082034F81633201AA17D31A41FF

Function 0042CA86 Relevance: 33.4, APIs: 2, Strings: 17, Instructions: 126COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042CAA3
VariantInit.OLEAUT32 ref: 0042CAAF

Strings

|, xrefs: 0042CB06
H, xrefs: 0042CB36
b, xrefs: 0042CADE
r, xrefs: 0042CB1E
d, xrefs: 0042CAE6
v, xrefs: 0042CB2E
f, xrefs: 0042CAEE
`, xrefs: 0042CAD6
+, xrefs: 0042CB12
z, xrefs: 0042CAFE
p, xrefs: 0042CB16
#, xrefs: 0042CAF2
w, xrefs: 0042CB32
x, xrefs: 0042CAF6
t, xrefs: 0042CB26
n, xrefs: 0042CACE
~, xrefs: 0042CB0E

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID: Variant$ClearInit
String ID: #$+$H$`$b$d$f$n$p$r$t$v$w$x$z$|$~
API String ID: 2610073882-1420026244
Opcode ID: bc93ace1fb19dd6cbc5ba1ff76e95b63e44a6415564d3888fad730cb905eed8c
Instruction ID: bba19cad47cbc09fdce602340fa81b57c2504845b2b7314342cfe1c5007d5460
Opcode Fuzzy Hash: bc93ace1fb19dd6cbc5ba1ff76e95b63e44a6415564d3888fad730cb905eed8c
Instruction Fuzzy Hash: DF517C616087808FD715CF2CD8C4346BFE1AB56224F08869DD8D98F397C6B9E51AC7A2

Function 0065CCED Relevance: 33.4, APIs: 2, Strings: 17, Instructions: 126COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0065CD0A
VariantInit.OLEAUT32 ref: 0065CD16

Strings

w, xrefs: 0065CD99
#, xrefs: 0065CD59
~, xrefs: 0065CD75
b, xrefs: 0065CD45
r, xrefs: 0065CD85
`, xrefs: 0065CD3D
+, xrefs: 0065CD79
t, xrefs: 0065CD8D
f, xrefs: 0065CD55
p, xrefs: 0065CD7D
H, xrefs: 0065CD9D
d, xrefs: 0065CD4D
n, xrefs: 0065CD35
|, xrefs: 0065CD6D
v, xrefs: 0065CD95
x, xrefs: 0065CD5D
z, xrefs: 0065CD65

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: #$+$H$`$b$d$f$n$p$r$t$v$w$x$z$|$~
API String ID: 2610073882-1420026244
Opcode ID: bc93ace1fb19dd6cbc5ba1ff76e95b63e44a6415564d3888fad730cb905eed8c
Instruction ID: b78093c043c803fc2d42de276225d2b1be42c48f450ac4c6793e51de7629404f
Opcode Fuzzy Hash: bc93ace1fb19dd6cbc5ba1ff76e95b63e44a6415564d3888fad730cb905eed8c
Instruction Fuzzy Hash: 2F516B616087808FD715CF2CC884356BFE26B56224F08869DD8D98F397C6B9E519C7A2

Function 0042E214 Relevance: 33.4, APIs: 2, Strings: 17, Instructions: 110COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042E21D
VariantInit.OLEAUT32 ref: 0042E229

Strings

v, xrefs: 0042E2A2
#, xrefs: 0042E266
p, xrefs: 0042E28A
~, xrefs: 0042E282
w, xrefs: 0042E2A6
t, xrefs: 0042E29A
H, xrefs: 0042E2AA
n, xrefs: 0042E242
f, xrefs: 0042E262
d, xrefs: 0042E25A
z, xrefs: 0042E272
b, xrefs: 0042E252
x, xrefs: 0042E26A
`, xrefs: 0042E24A
|, xrefs: 0042E27A
+, xrefs: 0042E286
r, xrefs: 0042E292

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID: Variant$ClearInit
String ID: #$+$H$`$b$d$f$n$p$r$t$v$w$x$z$|$~
API String ID: 2610073882-1420026244
Opcode ID: 39c251f1ddcca10c82de37d1c1315afbdf94fd3ce9e614e8a7c0dc9c3a9eae82
Instruction ID: 27ae8df6bfe452d90fa98299eac70ec52b8bb6fba7fc67fd64aaefc02281aa35
Opcode Fuzzy Hash: 39c251f1ddcca10c82de37d1c1315afbdf94fd3ce9e614e8a7c0dc9c3a9eae82
Instruction Fuzzy Hash: 36515E21608B80CED715CF2CC888316BFA2AF56314F08869CD8E94F79AC2B9D515C762

Function 0065E47B Relevance: 33.4, APIs: 2, Strings: 17, Instructions: 110COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0065E484
VariantInit.OLEAUT32 ref: 0065E490

Strings

n, xrefs: 0065E4A9
p, xrefs: 0065E4F1
b, xrefs: 0065E4B9
t, xrefs: 0065E501
d, xrefs: 0065E4C1
x, xrefs: 0065E4D1
w, xrefs: 0065E50D
r, xrefs: 0065E4F9
#, xrefs: 0065E4CD
H, xrefs: 0065E511
f, xrefs: 0065E4C9
z, xrefs: 0065E4D9
+, xrefs: 0065E4ED
`, xrefs: 0065E4B1
~, xrefs: 0065E4E9
|, xrefs: 0065E4E1
v, xrefs: 0065E509

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: #$+$H$`$b$d$f$n$p$r$t$v$w$x$z$|$~
API String ID: 2610073882-1420026244
Opcode ID: 39c251f1ddcca10c82de37d1c1315afbdf94fd3ce9e614e8a7c0dc9c3a9eae82
Instruction ID: 939d07ed2506cd46f8fe8095a09e8add78b2f58288bbd3143b5a83cf63393f2a
Opcode Fuzzy Hash: 39c251f1ddcca10c82de37d1c1315afbdf94fd3ce9e614e8a7c0dc9c3a9eae82
Instruction Fuzzy Hash: 0E514E61608B818ED715CF2CC888316BFA2AF96314F08869CD8E94F79AC2B9D515C762

Function 004303A0 Relevance: 29.9, APIs: 2, Strings: 15, Instructions: 122COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004303E9
GetSystemMetrics.USER32 ref: 004303F9

Strings

,JD, xrefs: 004304FA
$JD, xrefs: 004304EF
<JD, xrefs: 00430510
4JD, xrefs: 00430505
\JD, xrefs: 0043053C
ID, xrefs: 00430497
dJD, xrefs: 00430547
JD, xrefs: 004305F7
|JD, xrefs: 00430568
lJD, xrefs: 00430552
TJD, xrefs: 00430531
ID, xrefs: 004304A2
tJD, xrefs: 0043055D
LJD, xrefs: 00430526
DJD, xrefs: 0043051B

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID: MetricsSystem
String ID: $JD$,JD$4JD$<JD$DJD$LJD$TJD$\JD$dJD$lJD$tJD$|JD$ID$ID$JD
API String ID: 4116985748-3178550189
Opcode ID: 61af0ff6b344d0ecf16c926413cbebbf17aec19816b652f4e17f2333359606d9
Instruction ID: 4993bee2220cd56ec42929eb4724edf548e2492ea3819b10b7fa3f44ac936714
Opcode Fuzzy Hash: 61af0ff6b344d0ecf16c926413cbebbf17aec19816b652f4e17f2333359606d9
Instruction Fuzzy Hash: 8F8147B04597C08BE7B0EF54C68978FBAE0BBC4709F508A1ED1D96B250CBB94549CF4A

Function 00660437 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00660447
GetClipboardData.USER32 ref: 00660468
CloseClipboard.USER32 ref: 006605F0

Strings

f, xrefs: 00660539
\, xrefs: 00660525
*, xrefs: 006604F8

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseDataOpen
String ID: *$\$f
API String ID: 2058664381-1385958094
Opcode ID: ae55576ecb866219b69a7cddb780b42663f975dfaca26ccf850ebcc3af546580
Instruction ID: b080590a1aa5ace55c64858a988b6f79135ac3ab7d808172e4cb6e7fbedd74f1
Opcode Fuzzy Hash: ae55576ecb866219b69a7cddb780b42663f975dfaca26ccf850ebcc3af546580
Instruction Fuzzy Hash: 31519F7150C3818EE340AFBCC58839FBFE29B91304F19493DE5C687282D6B8854D9B67

Function 00652D4F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 00652ECD

Strings

sE, xrefs: 00652E01
Fw, xrefs: 00652E09

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID: DrivesLogical
String ID: Fw$sE
API String ID: 999431828-148487560
Opcode ID: efa6ec5b499574f24c003557c86db46860b5228a4bde5b95466ef94a86bc018c
Instruction ID: 993c535afb0c003194edd9849baa64daf43ce55a74b73012dcc29c1e337e4d7d
Opcode Fuzzy Hash: efa6ec5b499574f24c003557c86db46860b5228a4bde5b95466ef94a86bc018c
Instruction Fuzzy Hash: D04111B46083068BC7209F64C8A11ABBBF1EFC2754F04992DF4959B350E738C90ACB4B

Function 00422AF5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 00422C66

Strings

sE, xrefs: 00422B9A
Fw, xrefs: 00422BA2

Memory Dump Source

Source File: 00000000.00000002.2209194828.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2209194828.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2209194828.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_asd.jbxd

Similarity

API ID: DrivesLogical
String ID: Fw$sE
API String ID: 999431828-148487560
Opcode ID: 2960ae5eba7a079c748d20736119c4332d0da532e3cd91fbc6822479fafa39a5
Instruction ID: 5d0ef94064040616e0ef438c2c180b71f1623f8c7b2dfcaf229c5b3ed8fac825
Opcode Fuzzy Hash: 2960ae5eba7a079c748d20736119c4332d0da532e3cd91fbc6822479fafa39a5
Instruction Fuzzy Hash: 66310EB46083158BC3209F25D99126BBBF0EF82304F40992EE1959B310E77CDA05CB4B

Function 00656284 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,00000000), ref: 00656311
CopyFileW.KERNEL32(?,?,00000000,?,?,00000000), ref: 006563A1

Strings

rs, xrefs: 00656373

Memory Dump Source

Source File: 00000000.00000002.2209571710.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_asd.jbxd

Yara matches

Similarity

API ID: CopyFile
String ID: rs
API String ID: 1304948518-2514233613
Opcode ID: 233c6edd80d4006f07da70fb167ef46c99dfe79c0165654ac08f91b6d1311c5a
Instruction ID: be76e9c9a0dc07b46989e3a3c18913679e775c3d79d2a1f4599af72092e3fb40
Opcode Fuzzy Hash: 233c6edd80d4006f07da70fb167ef46c99dfe79c0165654ac08f91b6d1311c5a
Instruction Fuzzy Hash: 682107B011D780CFE7249F619416B9FFBF5ABC1710F20481CE5E98A392D6748506DB5B

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report asd.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_asd.exe_61c5959f5fa884b224fe8127d1a5716d2ad95c_cd7cc746_282e3677-8c36-4a03-9b44-2409570e0382\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE47.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF4.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF14.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
asd.exe

Function 00408690 Relevance: 7.7, APIs: 5, Instructions: 232
threadCOMMON

Function 004A0C15 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 0040AE60 Relevance: 3.0, Strings: 2, Instructions: 493
COMMON

Function 00439BE8 Relevance: 2.7, Strings: 2, Instructions: 165
COMMON

Function 00439AF0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 0063003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 00630E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 00439A90 Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Function 0040A6E4 Relevance: 1.5, APIs: 1, Instructions: 23
networkCOMMON

Function 0043A412 Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Function 004380E0 Relevance: 1.5, APIs: 1, Instructions: 13
memoryCOMMON

Function 004380B0 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON