Edit tour

Windows Analysis Report
h3VYJaQqI9.exe

Overview

General Information

Sample name:	h3VYJaQqI9.exe renamed because original name is a hash value
Original sample name:	d422626abd6f10fabbf6053e49c273129587843f49802b7f2123fa3907488fbf.exe
Analysis ID:	1586663
MD5:	3c183fbdc12ad0c81f49430831397ee1
SHA1:	1a156eca31ac583bf1b94fdf3e5b13e12132fd8f
SHA256:	d422626abd6f10fabbf6053e49c273129587843f49802b7f2123fa3907488fbf
Tags:	exeuser-adrian__luca
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Drops PE files to the startup folder

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

h3VYJaQqI9.exe (PID: 280 cmdline: "C:\Users\user\Desktop\h3VYJaQqI9.exe" MD5: 3C183FBDC12AD0C81F49430831397EE1)

conhost.exe (PID: 5776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

h3VYJaQqI9.exe (PID: 4560 cmdline: "C:\Users\user\Desktop\h3VYJaQqI9.exe" MD5: 3C183FBDC12AD0C81F49430831397EE1)

p1NyAJLgZS.exe (PID: 5876 cmdline: "C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe" MD5: 5AFB8CE4DD3923219BD69BD7B5168D91)

nRIsFYood8.exe (PID: 6320 cmdline: "C:\Users\user\AppData\Roaming\nRIsFYood8.exe" MD5: 0F4F19C69E1C39AC07570D86BC8357DA)

conhost.exe (PID: 5784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nRIsFYood8.exe (PID: 1912 cmdline: "C:\Users\user\AppData\Roaming\nRIsFYood8.exe" MD5: 0F4F19C69E1C39AC07570D86BC8357DA)

nRIsFYood8.exe (PID: 2196 cmdline: "C:\Users\user\AppData\Roaming\nRIsFYood8.exe" MD5: 0F4F19C69E1C39AC07570D86BC8357DA)

svhost.exe (PID: 5964 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe" MD5: 5AFB8CE4DD3923219BD69BD7B5168D91)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["impend-differ.biz", "dwell-exclaim.biz", "se-blurry.biz", "zinc-sneark.biz", "print-vexer.biz", "dare-curbys.biz", "formy-spill.biz", "covery-mover.biz"], "Build id": "v9xfsR--"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe, ProcessId: 5876, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T13:20:57.891992+0100	2028371	3	Unknown Traffic	192.168.2.6	49699	104.102.49.254	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T13:20:57.173854+0100	2058675	1	Domain Observed Used for C2 Detected	192.168.2.6	63137	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T13:20:57.185723+0100	2058677	1	Domain Observed Used for C2 Detected	192.168.2.6	57194	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T13:20:57.146926+0100	2058681	1	Domain Observed Used for C2 Detected	192.168.2.6	49477	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T13:20:57.162925+0100	2058679	1	Domain Observed Used for C2 Detected	192.168.2.6	58820	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T13:20:57.207837+0100	2058671	1	Domain Observed Used for C2 Detected	192.168.2.6	64534	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T13:20:57.196529+0100	2058673	1	Domain Observed Used for C2 Detected	192.168.2.6	52786	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T13:20:57.109986+0100	2058685	1	Domain Observed Used for C2 Detected	192.168.2.6	53277	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T13:20:57.125700+0100	2058683	1	Domain Observed Used for C2 Detected	192.168.2.6	51060	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T13:20:58.386121+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.6	49699	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Avira: detection malicious, Label: TR/AVI.ShinobuClipper.gwmgq
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	Avira: detection malicious, Label: TR/AVI.ShinobuClipper.gwmgq

Found malware configuration

Source: 00000005.00000002.2119760707.0000000002FBB000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["impend-differ.biz", "dwell-exclaim.biz", "se-blurry.biz", "zinc-sneark.biz", "print-vexer.biz", "dare-curbys.biz", "formy-spill.biz", "covery-mover.biz"], "Build id": "v9xfsR--"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	ReversingLabs: Detection: 86%

Multi AV Scanner detection for submitted file

Source: h3VYJaQqI9.exe

ReversingLabs: Detection: 71%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: h3VYJaQqI9.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000005.00000002.2119760707.0000000002FBB000.00000004.00000020.00020000.00000000.sdmp	String decryptor: impend-differ.biz
Source: 00000005.00000002.2119760707.0000000002FBB000.00000004.00000020.00020000.00000000.sdmp	String decryptor: print-vexer.biz
Source: 00000005.00000002.2119760707.0000000002FBB000.00000004.00000020.00020000.00000000.sdmp	String decryptor: dare-curbys.biz
Source: 00000005.00000002.2119760707.0000000002FBB000.00000004.00000020.00020000.00000000.sdmp	String decryptor: covery-mover.biz
Source: 00000005.00000002.2119760707.0000000002FBB000.00000004.00000020.00020000.00000000.sdmp	String decryptor: formy-spill.biz
Source: 00000005.00000002.2119760707.0000000002FBB000.00000004.00000020.00020000.00000000.sdmp	String decryptor: dwell-exclaim.biz
Source: 00000005.00000002.2119760707.0000000002FBB000.00000004.00000020.00020000.00000000.sdmp	String decryptor: zinc-sneark.biz
Source: 00000005.00000002.2119760707.0000000002FBB000.00000004.00000020.00020000.00000000.sdmp	String decryptor: se-blurry.biz
Source: 00000005.00000002.2119760707.0000000002FBB000.00000004.00000020.00020000.00000000.sdmp	String decryptor: se-blurry.biz
Source: 00000005.00000002.2119760707.0000000002FBB000.00000004.00000020.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000005.00000002.2119760707.0000000002FBB000.00000004.00000020.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000005.00000002.2119760707.0000000002FBB000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000005.00000002.2119760707.0000000002FBB000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000005.00000002.2119760707.0000000002FBB000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000005.00000002.2119760707.0000000002FBB000.00000004.00000020.00020000.00000000.sdmp	String decryptor: v9xfsR--

Source: h3VYJaQqI9.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49699 version: TLS 1.2

Source:

Binary string: C:\Users\alik777\Desktop\ShinobuClipper-master\Clipper\Clipper\obj\Debug\Runtime64.pdb source: h3VYJaQqI9.exe, h3VYJaQqI9.exe, 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, p1NyAJLgZS.exe, 00000004.00000000.2110621372.000001E91B6A2000.00000002.00000001.01000000.00000006.sdmp, p1NyAJLgZS.exe.3.dr, svhost.exe.4.dr

Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_0041B6EA FindFirstFileExW,	3_2_0041B6EA
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_0091ACFE FindFirstFileExW,	5_2_0091ACFE
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_0091ADAF FindFirstFileExW,FindNextFileW,FindClose,FindClose,	5_2_0091ADAF
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_0091ACFE FindFirstFileExW,	7_2_0091ACFE
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_0091ADAF FindFirstFileExW,FindNextFileW,FindClose,FindClose,	7_2_0091ADAF

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then movzx edi, byte ptr [esi+ecx+28h]	8_2_0040C010
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx]	8_2_0043E1F0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-208346E3h]	8_2_004392E0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then mov word ptr [edi], ax	8_2_0043BFC4
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then cmp word ptr [edx+eax], 0000h	8_2_0042885D
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then lea eax, dword ptr [ecx+ecx]	8_2_00427868
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then movzx edi, byte ptr [esi+eax+000003FFh]	8_2_0042B873
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then add eax, 08000000h	8_2_0041C80F
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then cmp word ptr [edx+ecx+02h], 0000h	8_2_0041C80F
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then mov eax, edx	8_2_0041C80F
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then jmp ecx	8_2_004048D0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then mov dword ptr [esi+00000404h], E1D42A6Ch	8_2_0042B8FE
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then mov ecx, eax	8_2_0042B8FE
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx]	8_2_00425880
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then movzx ecx, word ptr [edx]	8_2_004378AF
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then cmp al, 5Ch	8_2_00402140
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then mov ebx, eax	8_2_0042C01F
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then mov edx, ecx	8_2_00419960
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then mov edx, eax	8_2_00419960
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	8_2_0043E930
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then movzx edi, byte ptr [esi+eax+000003FFh]	8_2_0042B849
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then cmp byte ptr [esi+eax], 00000000h	8_2_0042A9F0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then movzx esi, byte ptr [edx]	8_2_00423253
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+esi]	8_2_0043EA60
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh	8_2_00439AD0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], C18BC4BAh	8_2_00439AD0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 6DBC3610h	8_2_00439AD0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh	8_2_00439AD0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], E6C7F7C6h	8_2_00439AD0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then lea ecx, dword ptr [edx+edx*4]	8_2_00409290
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 9C142CDAh	8_2_00437360
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then jmp eax	8_2_00437360
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then mov edi, ecx	8_2_0043AB6E
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then cmp word ptr [edi+ecx+02h], 0000h	8_2_00418322
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then cmp word ptr [edx+eax], 0000h	8_2_00428B30
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then mov ebp, eax	8_2_00405BD0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then mov edi, ecx	8_2_0041D3A0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then add ecx, eax	8_2_00425BB7
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then cmp word ptr [edx+ecx+02h], 0000h	8_2_00418442
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then mov edi, eax	8_2_0040B448
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edi+3Ch]	8_2_0040CC4E
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	8_2_0042A470
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then mov ecx, eax	8_2_00436C70
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-30h]	8_2_0042942A
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then mov word ptr [eax], dx	8_2_004204D0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then mov word ptr [eax], cx	8_2_004204D0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h	8_2_00416CDA
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then mov byte ptr [esi], cl	8_2_0041BCA4
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then movsx ecx, byte ptr [ebp+esi+00h]	8_2_0043CD6A
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+esi*4+00h]	8_2_00408500
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 484CE391h	8_2_0043ED00
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+20420D37h]	8_2_0041552C
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 1B6183F2h	8_2_0041552C
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then mov ebx, dword ptr [ebp-10h]	8_2_00428E12
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then mov ebp, eax	8_2_00424E16
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then mov byte ptr [edi], dl	8_2_0042B625
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then mov byte ptr [esi], cl	8_2_0041BE34
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then mov byte ptr [esi], cl	8_2_0041BE34
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then mov eax, edx	8_2_004176C7
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then mov edx, ecx	8_2_004176C7
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then mov edx, eax	8_2_004176C7
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then xor edi, edi	8_2_004176C7
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	8_2_0042AE80
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	8_2_00433F40
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-000000EBh]	8_2_0040A760
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then mov edx, ecx	8_2_00429760
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 4F699CD4h	8_2_0043EFD0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then jmp dword ptr [004462A0h]	8_2_00429FD4
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+24h]	8_2_0041DFB0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2057929 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz) : 192.168.2.6:49477 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057979 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz) : 192.168.2.6:49477 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058681 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz) : 192.168.2.6:49477 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057943 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz) : 192.168.2.6:52786 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057925 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz) : 192.168.2.6:63137 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057971 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz) : 192.168.2.6:52786 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057973 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz) : 192.168.2.6:63137 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058675 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz) : 192.168.2.6:63137 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057945 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz) : 192.168.2.6:53277 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057935 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz) : 192.168.2.6:64534 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057983 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz) : 192.168.2.6:53277 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058673 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz) : 192.168.2.6:52786 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057969 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz) : 192.168.2.6:64534 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057927 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz) : 192.168.2.6:57194 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058671 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz) : 192.168.2.6:64534 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057975 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz) : 192.168.2.6:57194 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058677 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz) : 192.168.2.6:57194 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058685 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz) : 192.168.2.6:53277 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057949 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz) : 192.168.2.6:51060 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057981 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz) : 192.168.2.6:51060 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058683 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz) : 192.168.2.6:51060 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057931 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz) : 192.168.2.6:58820 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057977 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz) : 192.168.2.6:58820 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058679 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz) : 192.168.2.6:58820 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:49699 -> 104.102.49.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: impend-differ.biz
Source: Malware configuration extractor	URLs: dwell-exclaim.biz
Source: Malware configuration extractor	URLs: se-blurry.biz
Source: Malware configuration extractor	URLs: zinc-sneark.biz
Source: Malware configuration extractor	URLs: print-vexer.biz
Source: Malware configuration extractor	URLs: dare-curbys.biz
Source: Malware configuration extractor	URLs: formy-spill.biz
Source: Malware configuration extractor	URLs: covery-mover.biz

Source: global traffic

TCP traffic: 192.168.2.6:49229 -> 1.1.1.1:53

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49699 -> 104.102.49.254:443

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: nRIsFYood8.exe, 00000008.00000003.2132731981.00000000014FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=5d95a3ea9875178caf916e46; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 09 Jan 2025 12:20:58 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: nRIsFYood8.exe, 00000008.00000003.2132731981.00000000014FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=5d95a3ea9875178caf916e46; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 09 Jan 2025 12:20:58 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: se-blurry.biz
Source: global traffic	DNS traffic detected: DNS query: zinc-sneark.biz
Source: global traffic	DNS traffic detected: DNS query: dwell-exclaim.biz
Source: global traffic	DNS traffic detected: DNS query: formy-spill.biz
Source: global traffic	DNS traffic detected: DNS query: covery-mover.biz
Source: global traffic	DNS traffic detected: DNS query: dare-curbys.biz
Source: global traffic	DNS traffic detected: DNS query: print-vexer.biz
Source: global traffic	DNS traffic detected: DNS query: impend-differ.biz
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2137715800.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2137715800.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2137715800.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: nRIsFYood8.exe, 00000008.00000002.2137940995.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2137715800.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=SCXpgixTDzt4&a
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2138061188.0000000001508000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132731981.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2138061188.0000000001508000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132731981.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2138061188.0000000001508000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132731981.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2137715800.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2137715800.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2137715800.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2137715800.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=aep8
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2138061188.0000000001508000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132731981.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2138061188.0000000001508000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132731981.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2138061188.0000000001508000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132731981.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2138061188.0000000001508000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132731981.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: nRIsFYood8.exe, 00000008.00000002.2137715800.00000000014DC000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132731981.00000000014DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://covery-mover.biz/api
Source: nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: nRIsFYood8.exe, 00000008.00000002.2137940995.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2137715800.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: nRIsFYood8.exe, 00000008.00000003.2132731981.00000000014CC000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2137715800.00000000014CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/f
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2137715800.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: nRIsFYood8.exe, 00000008.00000003.2132731981.00000000014CC000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2137715800.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2137715800.00000000014CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: nRIsFYood8.exe, 00000008.00000003.2132731981.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: nRIsFYood8.exe, 00000008.00000003.2133974918.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132731981.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2137715800.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: nRIsFYood8.exe, 00000008.00000002.2137940995.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: nRIsFYood8.exe, 00000008.00000002.2137940995.00000000014FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptc
Source: nRIsFYood8.exe, 00000008.00000003.2132731981.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132731981.00000000014B8000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49699 version: TLS 1.2

Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe

Code function: 8_2_00431FC0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

8_2_00431FC0

Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe

Code function: 8_2_00431FC0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

8_2_00431FC0

Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe

Code function: 8_2_00432A7F GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

8_2_00432A7F

Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior

Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 0_2_00BF2480	0_2_00BF2480
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 0_2_00BDA4E0	0_2_00BDA4E0
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 0_2_00C00440	0_2_00C00440
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 0_2_00C01C20	0_2_00C01C20
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 0_2_00BDA050	0_2_00BDA050
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 0_2_00BDA9B0	0_2_00BDA9B0
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 0_2_00BE01DF	0_2_00BE01DF
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 0_2_00BFED30	0_2_00BFED30
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 0_2_00BF1FB0	0_2_00BF1FB0
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 0_2_00BF0BF0	0_2_00BF0BF0
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 0_2_00BDFFCC	0_2_00BDFFCC
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00402320	3_2_00402320
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00459000	3_2_00459000
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_004050C0	3_2_004050C0
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00469160	3_2_00469160
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00440210	3_2_00440210
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_0045E220	3_2_0045E220
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_004532C0	3_2_004532C0
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00465350	3_2_00465350
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_0045B320	3_2_0045B320
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00457380	3_2_00457380
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_0045D3B0	3_2_0045D3B0
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00456450	3_2_00456450
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00420470	3_2_00420470
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00467480	3_2_00467480
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_0041951B	3_2_0041951B
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00454520	3_2_00454520
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00464590	3_2_00464590
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00415635	3_2_00415635
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_004586F0	3_2_004586F0
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_0045A6A0	3_2_0045A6A0
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_0045B790	3_2_0045B790
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00436860	3_2_00436860
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_0045D870	3_2_0045D870
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00457810	3_2_00457810
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_0043B830	3_2_0043B830
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_0043F8B0	3_2_0043F8B0
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00452930	3_2_00452930
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_0044E9C0	3_2_0044E9C0
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00453990	3_2_00453990
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_0044F9B0	3_2_0044F9B0
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00476AE2	3_2_00476AE2
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00451B90	3_2_00451B90
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00458B90	3_2_00458B90
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_0045CC70	3_2_0045CC70
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00457CE0	3_2_00457CE0
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_0040FCF0	3_2_0040FCF0
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00465CA0	3_2_00465CA0
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_0043FD40	3_2_0043FD40
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00455D50	3_2_00455D50
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00419D19	3_2_00419D19
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_0045DD30	3_2_0045DD30
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_0041DEC3	3_2_0041DEC3
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00438F40	3_2_00438F40
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00404F00	3_2_00404F00
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_0040CF8F	3_2_0040CF8F
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00BDA050	3_2_00BDA050
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00BF2480	3_2_00BF2480
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00BDA4E0	3_2_00BDA4E0
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00BDA9B0	3_2_00BDA9B0
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00BF0BF0	3_2_00BF0BF0
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00BF1FB0	3_2_00BF1FB0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_008FA150	5_2_008FA150
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_008F9160	5_2_008F9160
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_008F68AB	5_2_008F68AB
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_008FD0D0	5_2_008FD0D0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_00908010	5_2_00908010
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_008E1000	5_2_008E1000
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_008EA050	5_2_008EA050
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_008EA9B0	5_2_008EA9B0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_009089C0	5_2_009089C0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_00913900	5_2_00913900
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_00921282	5_2_00921282
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_00905AC0	5_2_00905AC0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_0090FAF0	5_2_0090FAF0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_008FDA60	5_2_008FDA60
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_00900BF0	5_2_00900BF0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_00903330	5_2_00903330
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_00901B20	5_2_00901B20
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_00907B50	5_2_00907B50
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_009084D0	5_2_009084D0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_009004F0	5_2_009004F0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_008EA4E0	5_2_008EA4E0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_00907410	5_2_00907410
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_00911C20	5_2_00911C20
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_00910440	5_2_00910440
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_008FED09	5_2_008FED09
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_0090ED30	5_2_0090ED30
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_00902E90	5_2_00902E90
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_008E3EA6	5_2_008E3EA6
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_008E36E0	5_2_008E36E0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_00904E40	5_2_00904E40
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_00901FB0	5_2_00901FB0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_008FD0D0	7_2_008FD0D0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_00908010	7_2_00908010
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_008E1000	7_2_008E1000
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_008EA050	7_2_008EA050
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_008EA9B0	7_2_008EA9B0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_009089C0	7_2_009089C0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_00913900	7_2_00913900
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_008FE130	7_2_008FE130
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_008FA150	7_2_008FA150
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_008F9160	7_2_008F9160
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_00921282	7_2_00921282
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_00905AC0	7_2_00905AC0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_0090FAF0	7_2_0090FAF0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_008FDA60	7_2_008FDA60
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_00900BF0	7_2_00900BF0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_00903330	7_2_00903330
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_00901B20	7_2_00901B20
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_008FC330	7_2_008FC330
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_00907B50	7_2_00907B50
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_00902480	7_2_00902480
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_009084D0	7_2_009084D0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_008FECC0	7_2_008FECC0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_009004F0	7_2_009004F0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_008EA4E0	7_2_008EA4E0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_00907410	7_2_00907410
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_00911C20	7_2_00911C20
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_00910440	7_2_00910440
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_0090ED30	7_2_0090ED30
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_00902E90	7_2_00902E90
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_008E36E0	7_2_008E36E0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_00904E40	7_2_00904E40
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_00901FB0	7_2_00901FB0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_009037A0	7_2_009037A0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_008E5FD0	7_2_008E5FD0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_00905F30	7_2_00905F30
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0040C010	8_2_0040C010
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0043E620	8_2_0043E620
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_004097D0	8_2_004097D0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0042884E	8_2_0042884E
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0042885D	8_2_0042885D
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00427868	8_2_00427868
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00411877	8_2_00411877
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0041C80F	8_2_0041C80F
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0042C026	8_2_0042C026
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00416026	8_2_00416026
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0041C0C0	8_2_0041C0C0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_004048D0	8_2_004048D0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0042F0F8	8_2_0042F0F8
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00425880	8_2_00425880
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_004378AF	8_2_004378AF
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0042C01F	8_2_0042C01F
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00436950	8_2_00436950
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0041F160	8_2_0041F160
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00419960	8_2_00419960
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00406120	8_2_00406120
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_004189D5	8_2_004189D5
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0042F9F0	8_2_0042F9F0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00405989	8_2_00405989
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00423253	8_2_00423253
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00421260	8_2_00421260
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0043EA60	8_2_0043EA60
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0040A270	8_2_0040A270
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00423A10	8_2_00423A10
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0043A220	8_2_0043A220
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00402A30	8_2_00402A30
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00436230	8_2_00436230
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0041B2C0	8_2_0041B2C0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0043F2C0	8_2_0043F2C0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00439AD0	8_2_00439AD0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_004232D9	8_2_004232D9
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00409290	8_2_00409290
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0043D290	8_2_0043D290
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0043DAA0	8_2_0043DAA0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0040BB40	8_2_0040BB40
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00437360	8_2_00437360
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0040EBC9	8_2_0040EBC9
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00405BD0	8_2_00405BD0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_004232D9	8_2_004232D9
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00425B80	8_2_00425B80
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00404B8D	8_2_00404B8D
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00429B96	8_2_00429B96
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0041D3A0	8_2_0041D3A0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00425BB7	8_2_00425BB7
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0040CC4E	8_2_0040CC4E
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00403450	8_2_00403450
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00426C51	8_2_00426C51
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0043D46A	8_2_0043D46A
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00436C70	8_2_00436C70
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0043D420	8_2_0043D420
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00416C25	8_2_00416C25
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00423CD0	8_2_00423CD0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00427499	8_2_00427499
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00431D50	8_2_00431D50
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00418D59	8_2_00418D59
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0043D560	8_2_0043D560
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00404D67	8_2_00404D67
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0043CD6A	8_2_0043CD6A
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00408500	8_2_00408500
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00426500	8_2_00426500
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0043ED00	8_2_0043ED00
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00416509	8_2_00416509
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0041250B	8_2_0041250B
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0041552C	8_2_0041552C
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00427DF3	8_2_00427DF3
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00423E40	8_2_00423E40
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00421E60	8_2_00421E60
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00405671	8_2_00405671
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00403E10	8_2_00403E10
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00424E16	8_2_00424E16
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00423E1F	8_2_00423E1F
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00412E20	8_2_00412E20
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_004176C7	8_2_004176C7
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0042FED0	8_2_0042FED0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_004376D0	8_2_004376D0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00423ED4	8_2_00423ED4
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0041D680	8_2_0041D680
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0040A760	8_2_0040A760
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00435FD0	8_2_00435FD0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0043EFD0	8_2_0043EFD0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0043D780	8_2_0043D780
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_004357AE	8_2_004357AE
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_004067B0	8_2_004067B0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_0041DFB0	8_2_0041DFB0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00422FBF	8_2_00422FBF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	Code function: 9_2_00007FFD347608F5	9_2_00007FFD347608F5

Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: String function: 00407D30 appears 55 times
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: String function: 004153F0 appears 59 times
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: String function: 004090A0 appears 48 times
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: String function: 00915300 appears 53 times

Source: h3VYJaQqI9.exe	Binary or memory string: OriginalFilename vs h3VYJaQqI9.exe
Source: h3VYJaQqI9.exe, 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRuntime64.exeL vs h3VYJaQqI9.exe
Source: h3VYJaQqI9.exe, 00000003.00000002.2113304502.00000000013FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRuntime64.}4 vs h3VYJaQqI9.exe

Source: h3VYJaQqI9.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: h3VYJaQqI9.exe	Static PE information: Section: .bss ZLIB complexity 1.0003144862288136
Source: h3VYJaQqI9.exe	Static PE information: Section: .bss ZLIB complexity 1.0003144862288136
Source: nRIsFYood8.exe.3.dr	Static PE information: Section: .bss ZLIB complexity 1.000330982592282
Source: nRIsFYood8.exe.3.dr	Static PE information: Section: .bss ZLIB complexity 1.000330982592282

Source: classification engine

Classification label: mal100.troj.adwa.evad.winEXE@14/4@9/1

Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe

Code function: 8_2_0042E957 CoCreateInstance,

8_2_0042E957

Source: C:\Users\user\Desktop\h3VYJaQqI9.exe

File created: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5776:120:WilError_03
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Mutant created: \Sessions\1\BaseNamedObjects\sodfksdkfalksdasgpkprgasdgrrkgwhrterheegwsdfwef
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5784:120:WilError_03

Source: h3VYJaQqI9.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\h3VYJaQqI9.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\h3VYJaQqI9.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: h3VYJaQqI9.exe

ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\h3VYJaQqI9.exe

File read: C:\Users\user\Desktop\h3VYJaQqI9.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\h3VYJaQqI9.exe "C:\Users\user\Desktop\h3VYJaQqI9.exe"
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Process created: C:\Users\user\Desktop\h3VYJaQqI9.exe "C:\Users\user\Desktop\h3VYJaQqI9.exe"
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Process created: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe "C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe"
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Process created: C:\Users\user\AppData\Roaming\nRIsFYood8.exe "C:\Users\user\AppData\Roaming\nRIsFYood8.exe"
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Process created: C:\Users\user\AppData\Roaming\nRIsFYood8.exe "C:\Users\user\AppData\Roaming\nRIsFYood8.exe"
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Process created: C:\Users\user\AppData\Roaming\nRIsFYood8.exe "C:\Users\user\AppData\Roaming\nRIsFYood8.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe"
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Process created: C:\Users\user\Desktop\h3VYJaQqI9.exe "C:\Users\user\Desktop\h3VYJaQqI9.exe"	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Process created: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe "C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe"	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Process created: C:\Users\user\AppData\Roaming\nRIsFYood8.exe "C:\Users\user\AppData\Roaming\nRIsFYood8.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Process created: C:\Users\user\AppData\Roaming\nRIsFYood8.exe "C:\Users\user\AppData\Roaming\nRIsFYood8.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Process created: C:\Users\user\AppData\Roaming\nRIsFYood8.exe "C:\Users\user\AppData\Roaming\nRIsFYood8.exe"	Jump to behavior

Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Users\user\Desktop\h3VYJaQqI9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: h3VYJaQqI9.exe

Static file information: File size 2605056 > 1048576

Source: h3VYJaQqI9.exe	Static PE information: Raw size of .bss is bigger than: 0x100000 < 0x118400
Source: h3VYJaQqI9.exe	Static PE information: Raw size of .bss is bigger than: 0x100000 < 0x118400

Source:

Source: h3VYJaQqI9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: h3VYJaQqI9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: h3VYJaQqI9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: h3VYJaQqI9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: h3VYJaQqI9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: p1NyAJLgZS.exe.3.dr

Static PE information: 0xFD2F6FAD [Sat Aug 9 17:00:29 2104 UTC]

Source: h3VYJaQqI9.exe	Static PE information: section name: .usa
Source: nRIsFYood8.exe.3.dr	Static PE information: section name: .usa

Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 0_2_00BE5586 push 940F5545h; ret	0_2_00BE558C
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_004076E0 push ecx; ret	3_2_004076F3
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00428E7D push esi; ret	3_2_00428E86
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00470FCE push ecx; ret	3_2_00470FE1
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00BDEF48 push 940F5545h; ret	3_2_00BDEF4E
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Code function: 4_2_00007FFD347800BD pushad ; iretd	4_2_00007FFD347800C1
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_0090AB48 push 940F9964h; ret	5_2_0090AB4D
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_00909481 push ss; iretd	5_2_00909482
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_00909463 push ss; iretd	5_2_00909464
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_0091B76E push ecx; ret	5_2_0091B781
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_0090AB48 push 940F9964h; ret	7_2_0090AB4D
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_00909481 push ss; iretd	7_2_00909482
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_00909463 push ss; iretd	7_2_00909464
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_0091B76E push ecx; ret	7_2_0091B781
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00444369 pushfd ; iretd	8_2_00444379
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 8_2_00439770 push eax; mov dword ptr [esp], 20272625h	8_2_0043977E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	Code function: 9_2_00007FFD347600BD pushad ; iretd	9_2_00007FFD347600C1

Source: h3VYJaQqI9.exe	Static PE information: section name: .text entropy: 6.942617427597996
Source: nRIsFYood8.exe.3.dr	Static PE information: section name: .text entropy: 6.942617427597996

Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	File created: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Jump to dropped file
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	File created: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe

Jump to dropped file

Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe

Jump to behavior

Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Memory allocated: 1E91B9D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Memory allocated: 1E935400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	Memory allocated: 233666C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	Memory allocated: 23300000000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window / User API: threadDelayed 1704			Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Window / User API: threadDelayed 8289			Jump to behavior

Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	API coverage: 6.6 %
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	API coverage: 5.7 %

Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe TID: 5852	Thread sleep count: 1704 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe TID: 5852	Thread sleep time: -1704000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe TID: 5852	Thread sleep count: 8289 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe TID: 5852	Thread sleep time: -8289000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe TID: 4904	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe TID: 4924	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_0041B6EA FindFirstFileExW,	3_2_0041B6EA
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_0091ACFE FindFirstFileExW,	5_2_0091ACFE
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_0091ADAF FindFirstFileExW,FindNextFileW,FindClose,FindClose,	5_2_0091ADAF
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_0091ACFE FindFirstFileExW,	7_2_0091ACFE
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_0091ADAF FindFirstFileExW,FindNextFileW,FindClose,FindClose,	7_2_0091ADAF

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: nRIsFYood8.exe, 00000008.00000002.2137715800.00000000014AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH P
Source: nRIsFYood8.exe, 00000008.00000003.2133974918.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132731981.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2137940995.00000000014FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe

Code function: 8_2_0043BD50 LdrInitializeThunk,

8_2_0043BD50

Source: C:\Users\user\Desktop\h3VYJaQqI9.exe

Code function: 3_2_00407B01 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_00407B01

Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 0_2_00BDA4E0 mov edi, dword ptr fs:[00000030h]	0_2_00BDA4E0
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 0_2_00BDA4E0 mov edi, dword ptr fs:[00000030h]	0_2_00BDA4E0
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 0_2_00BDA4E0 mov edi, dword ptr fs:[00000030h]	0_2_00BDA4E0
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 0_2_00BDA4E0 mov edi, dword ptr fs:[00000030h]	0_2_00BDA4E0
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_0041914C mov eax, dword ptr fs:[00000030h]	3_2_0041914C
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_004114A6 mov ecx, dword ptr fs:[00000030h]	3_2_004114A6
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_0043FD40 mov edi, dword ptr fs:[00000030h]	3_2_0043FD40
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_0043FD40 mov edi, dword ptr fs:[00000030h]	3_2_0043FD40
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_0043FD40 mov edi, dword ptr fs:[00000030h]	3_2_0043FD40
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_0043FD40 mov edi, dword ptr fs:[00000030h]	3_2_0043FD40
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00BDA4E0 mov edi, dword ptr fs:[00000030h]	3_2_00BDA4E0
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00BDA4E0 mov edi, dword ptr fs:[00000030h]	3_2_00BDA4E0
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00BDA4E0 mov edi, dword ptr fs:[00000030h]	3_2_00BDA4E0
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00BDA4E0 mov edi, dword ptr fs:[00000030h]	3_2_00BDA4E0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_008EA4E0 mov edi, dword ptr fs:[00000030h]	5_2_008EA4E0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_008EA4E0 mov edi, dword ptr fs:[00000030h]	5_2_008EA4E0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_008EA4E0 mov edi, dword ptr fs:[00000030h]	5_2_008EA4E0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_008EA4E0 mov edi, dword ptr fs:[00000030h]	5_2_008EA4E0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_008EA4E0 mov edi, dword ptr fs:[00000030h]	7_2_008EA4E0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_008EA4E0 mov edi, dword ptr fs:[00000030h]	7_2_008EA4E0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_008EA4E0 mov edi, dword ptr fs:[00000030h]	7_2_008EA4E0
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_008EA4E0 mov edi, dword ptr fs:[00000030h]	7_2_008EA4E0

Source: C:\Users\user\Desktop\h3VYJaQqI9.exe

Code function: 3_2_0041EFD8 GetProcessHeap,

3_2_0041EFD8

Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 0_2_00C04AF4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00C04AF4
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00407B01 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00407B01
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00407C63 SetUnhandledExceptionFilter,	3_2_00407C63
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00407D75 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00407D75
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_0040DD78 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0040DD78
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: 3_2_00C04AF4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00C04AF4
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_00915133 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00915133
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 5_2_00914AF4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00914AF4
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_009171B3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_009171B3
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_00915133 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00915133
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Code function: 7_2_00914AF4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00914AF4

Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Memory written: C:\Users\user\Desktop\h3VYJaQqI9.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Memory written: C:\Users\user\AppData\Roaming\nRIsFYood8.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Process created: C:\Users\user\Desktop\h3VYJaQqI9.exe "C:\Users\user\Desktop\h3VYJaQqI9.exe"	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Process created: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe "C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe"	Jump to behavior
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Process created: C:\Users\user\AppData\Roaming\nRIsFYood8.exe "C:\Users\user\AppData\Roaming\nRIsFYood8.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Process created: C:\Users\user\AppData\Roaming\nRIsFYood8.exe "C:\Users\user\AppData\Roaming\nRIsFYood8.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe	Process created: C:\Users\user\AppData\Roaming\nRIsFYood8.exe "C:\Users\user\AppData\Roaming\nRIsFYood8.exe"	Jump to behavior

Source: C:\Users\user\Desktop\h3VYJaQqI9.exe

Code function: 3_2_004077E0 cpuid

3_2_004077E0

Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: EnumSystemLocalesW,	3_2_00414138
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	3_2_0041E412
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: GetLocaleInfoW,	3_2_0041465E
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: GetLocaleInfoW,	3_2_0041E60D
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: EnumSystemLocalesW,	3_2_0041E6FF
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: EnumSystemLocalesW,	3_2_0041E6B4
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: EnumSystemLocalesW,	3_2_0041E79A
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_0041E825
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: GetLocaleInfoW,	3_2_0041EA78
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_0041EBA1
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: GetLocaleInfoW,	3_2_0041ECA7
Source: C:\Users\user\Desktop\h3VYJaQqI9.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_0041ED76

Source: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	Queries volume information: C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\h3VYJaQqI9.exe

Code function: 0_2_00C05009 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00C05009

Source: C:\Users\user\AppData\Roaming\nRIsFYood8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	12 Registry Run Keys / Startup Folder	111 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	12 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	33 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
h3VYJaQqI9.exe	71%	ReversingLabs	Win32.Trojan.Generic
h3VYJaQqI9.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	100%	Avira	TR/AVI.ShinobuClipper.gwmgq
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	100%	Avira	TR/AVI.ShinobuClipper.gwmgq
C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\nRIsFYood8.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	87%	ReversingLabs	ByteCode-MSIL.Infostealer.ClipBanker
C:\Users\user\AppData\Roaming\nRIsFYood8.exe	63%	ReversingLabs	Win32.Trojan.Lumma
C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe	87%	ReversingLabs	ByteCode-MSIL.Infostealer.ClipBanker

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	high
dare-curbys.biz	unknown	unknown	false	high
impend-differ.biz	unknown	unknown	false	high
se-blurry.biz	unknown	unknown	false	high
zinc-sneark.biz	unknown	unknown	false	high
print-vexer.biz	unknown	unknown	false	high
dwell-exclaim.biz	unknown	unknown	false	high
covery-mover.biz	unknown	unknown	false	high
formy-spill.biz	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
dare-curbys.biz	false	high
impend-differ.biz	false	high
dwell-exclaim.biz	false	high
zinc-sneark.biz	false	high
formy-spill.biz	false	high
se-blurry.biz	false	high
https://steamcommunity.com/profiles/76561199724331900	false	high
covery-mover.biz	false	high
print-vexer.biz	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://steamcommunity.com/my/wishlist/	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	false	high
https://player.vimeo.com	nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2138061188.0000000001508000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132731981.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/?subsection=broadcasts	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	false	high
https://help.steampowered.com/en/	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/market/	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/news/	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/subscriber_agreement/	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.gstatic.cn/recaptcha/	nRIsFYood8.exe, 00000008.00000002.2137940995.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/subscriber_agreement/	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2137715800.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2137715800.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://recaptcha.net/recaptcha/;	nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2138061188.0000000001508000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132731981.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=aep8	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2137715800.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.valvesoftware.com/legal.htm	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/discussions/	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.youtube.com	nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	high
https://covery-mover.biz/api	nRIsFYood8.exe, 00000008.00000002.2137715800.00000000014DC000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132731981.00000000014DC000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com	nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/stats/	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://medal.tv	nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	high
https://broadcast.st.dl.eccdnx.com	nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2138061188.0000000001508000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132731981.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/steam_refunds/	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132731981.00000000014B8000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2137715800.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	false	high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	nRIsFYood8.exe, 00000008.00000002.2137940995.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2138061188.0000000001508000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132731981.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://s.ytimg.com;	nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/workshop/	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	false	high
https://login.steampowered.com/	nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb	nRIsFYood8.exe, 00000008.00000003.2133974918.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132731981.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2138061188.0000000001508000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132731981.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2137715800.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2138061188.0000000001508000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132731981.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/legal/	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2137715800.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/	nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2138061188.0000000001508000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132731981.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steam.tv/	nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/f	nRIsFYood8.exe, 00000008.00000003.2132731981.00000000014CC000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2137715800.00000000014CC000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/privacy_agreement/	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2137715800.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/points/shop/	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	false	high
https://recaptcha.net	nRIsFYood8.exe, 00000008.00000002.2137940995.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/	nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2137715800.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://sketchfab.com	nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	high
https://lv.queniujq.cn	nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.youtube.com/	nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	high
http://127.0.0.1:27060	nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/privacy_agreement/	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2137715800.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com/recaptcha/	nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	high
https://checkout.steampowered.com/	nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://help.steampowered.com/	nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.steampowered.com/	nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/points/shop	nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/account/cookiepreferences/	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000002.2137715800.00000000014AC000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/mobile	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/	nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/;	nRIsFYood8.exe, 00000008.00000003.2132731981.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2134194342.0000000001504000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2133909401.0000000001507000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/about/	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l	nRIsFYood8.exe, 00000008.00000003.2132646281.0000000001542000.00000004.00000020.00020000.00000000.sdmp, nRIsFYood8.exe, 00000008.00000003.2132646281.000000000153D000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1586663
Start date and time:	2025-01-09 13:20:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	h3VYJaQqI9.exe renamed because original name is a hash value
Original Sample Name:	d422626abd6f10fabbf6053e49c273129587843f49802b7f2123fa3907488fbf.exe
Detection:	MAL
Classification:	mal100.troj.adwa.evad.winEXE@14/4@9/1
EGA Information:	Successful, ratio: 57.1%
HCA Information:	Successful, ratio: 66% Number of executed functions: 45 Number of non-executed functions: 159
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.253.45, 52.149.20.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target nRIsFYood8.exe, PID 1912 because there are no executed function
Execution Graph export aborted for target p1NyAJLgZS.exe, PID 5876 because it is empty
Execution Graph export aborted for target svhost.exe, PID 5964 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: h3VYJaQqI9.exe

Simulations

Behavior and APIs

Time	Type	Description
07:20:56	API Interceptor	2x Sleep call for process: nRIsFYood8.exe modified
07:21:28	API Interceptor	141481x Sleep call for process: p1NyAJLgZS.exe modified
13:20:58	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	/ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	P2V7Mr3DUF.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	v3tb7mqP48.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	asd.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	[UPD]Intel_Unit.2.1.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	socolo.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Installer.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.102.49.254
	Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	BnJxmraqlk.exe	Get hash	malicious	LummaC, PrivateLoader	Browse	104.102.49.254
	file.exe	Get hash	malicious	Amadey, Babadeda, LummaC Stealer, Poverty Stealer, PureLog Stealer	Browse	104.102.49.254
	NjFiIQNSid.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	mpsl.elf	Get hash	malicious	Mirai	Browse	23.63.155.206
	m68k.elf	Get hash	malicious	Mirai	Browse	23.40.78.0
	arm.elf	Get hash	malicious	Mirai	Browse	23.218.112.97
	arm7.elf	Get hash	malicious	Mirai	Browse	23.204.246.84
	ppc.elf	Get hash	malicious	Mirai	Browse	23.13.196.167
	sh4.elf	Get hash	malicious	Mirai	Browse	23.37.180.19
	https://booking.pathqerunknowns.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.102.43.106
	message__51fa7b20_1571_b6cf_e82f_a6f0e2bfa4a2_jamestraversgarage_ie_.eml	Get hash	malicious	Unknown	Browse	2.19.126.151
	P2V7Mr3DUF.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	v3tb7mqP48.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	s7.mp4.hta	Get hash	malicious	LummaC	Browse	104.102.49.254
	uU6IvUPN39.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	P2V7Mr3DUF.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	v3tb7mqP48.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	xCnwCctDWC.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	DLKs2Qeljg.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	fuk7RfLrD3.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Ljrprfl3BH.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	DPlvBkg4aj.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	https://veryfast.io/?ap=adw&as=g_d_fast_in&dm%5Bads%5D=new_static&dm%5Btype%5D=dis&gad_source=5&gclid=EAIaIQobChMIgp352NzmigMVZAOzAB0wMA8oEAEYASAAEgI_hfD_BwE	Get hash	malicious	Unknown	Browse	104.102.49.254

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe

Download File

Process:	C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	4.686100453156256
Encrypted:	false
SSDEEP:	192:K62b/BKfnRxvFZCg0UZm7NVAXO7E/X5HjMWD9ep:K62b/BKfnRxvFZC/UZ+mXO7E/XZMWp
MD5:	5AFB8CE4DD3923219BD69BD7B5168D91
SHA1:	E06283294510284AF9082EB67D368E6D88D9E232
SHA-256:	F727BBA8D917FA3F129D71745E0741A8511F940B1A6817FF5130AA2F3AE85C79
SHA-512:	8135EFB34C768A9C292B54BC25845DD9B388E98F9F0B67918FBF5887C8E1D3DA81BB84E044EEBDF0868C40A685BD157DAAFB4789B373DEA3E273C5275EBD0740
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o/..........."...0.. ...........>... ...@....@.. ....................................`..................................>..O....@.......................`.......=..8............................................ ............... ..H............text........ ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.....................@..B.................>......H.......l&..t...........................................................".(.........0................r...p.......................s....%r...pr...po.....%r]..prg..po.....%r...pr...po.....%r...pr...po.....%rk..prs..po.....%r4..pr<..po.....%r...pr...po.....%r...pr...po.....%r ..pr0..po.....%r...pr...po.....%r...pr...po.....%r&..pr0..po..........r...p.......0..,........(.....(.........,.(.....(.....(.....(.....".(.........0...........~......,.~....%o.....`o........0..........

C:\Users\user\AppData\Roaming\nRIsFYood8.exe

Download File

Process:	C:\Users\user\Desktop\h3VYJaQqI9.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	919552
Entropy (8bit):	7.803662819540024
Encrypted:	false
SSDEEP:	24576:fQFpOSsWGI7jyxizDs5oy9F1IxizDs5oy9F1:fQFprsWGIHw9PC9P
MD5:	0F4F19C69E1C39AC07570D86BC8357DA
SHA1:	85C6B48DD81B9EB071FED00D76F8351B517974E3
SHA-256:	89B62603775904CB0F7ACC357DF34953A4BAAB90DEEF47E8A3BC2FFC49808927
SHA-512:	C19B08B56C3F89C436726505DC6DD61BEE4D1E18F5EEDF2B1972DB5F8EC01DB0610DDD00C5AE55DD7B9861AFB9D4A86293808A10C47D92EBC3A173CA17200B62
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Reputation:	low
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....Ig............................cM............@..........................P............@..................................o..P....@..........................\....................................!..............<q..L............................text............................... ..`.rdata...^... ...`..................@..@.data...\|............r..............@....usa................................@..@.reloc..\........0..................@..B.bss.....................................bss.................\...................rsrc........@......................@..@........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe

Download File

Process:	C:\Users\user\Desktop\h3VYJaQqI9.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	4.686100453156256
Encrypted:	false
SSDEEP:	192:K62b/BKfnRxvFZCg0UZm7NVAXO7E/X5HjMWD9ep:K62b/BKfnRxvFZC/UZ+mXO7E/XZMWp
MD5:	5AFB8CE4DD3923219BD69BD7B5168D91
SHA1:	E06283294510284AF9082EB67D368E6D88D9E232
SHA-256:	F727BBA8D917FA3F129D71745E0741A8511F940B1A6817FF5130AA2F3AE85C79
SHA-512:	8135EFB34C768A9C292B54BC25845DD9B388E98F9F0B67918FBF5887C8E1D3DA81BB84E044EEBDF0868C40A685BD157DAAFB4789B373DEA3E273C5275EBD0740
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o/..........."...0.. ...........>... ...@....@.. ....................................`..................................>..O....@.......................`.......=..8............................................ ............... ..H............text........ ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.....................@..B.................>......H.......l&..t...........................................................".(.........0................r...p.......................s....%r...pr...po.....%r]..prg..po.....%r...pr...po.....%r...pr...po.....%rk..prs..po.....%r4..pr<..po.....%r...pr...po.....%r...pr...po.....%r ..pr0..po.....%r...pr...po.....%r...pr...po.....%r&..pr0..po..........r...p.......0..,........(.....(.........,.(.....(.....(.....(.....".(.........0...........~......,.~....%o.....`o........0..........

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.964520789363801
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	h3VYJaQqI9.exe
File size:	2'605'056 bytes
MD5:	3c183fbdc12ad0c81f49430831397ee1
SHA1:	1a156eca31ac583bf1b94fdf3e5b13e12132fd8f
SHA256:	d422626abd6f10fabbf6053e49c273129587843f49802b7f2123fa3907488fbf
SHA512:	9a967699b90151129c50b0b9ff2344c4f3c84bda805fbfdfe15c6c44ea814c40ea0bfe39b43f8cfc1c7c5937534ac63e9744e78f12bed60b31147b6124a263ce
SSDEEP:	49152:eQFprsWGIHAxqOx6V8KG0b1yMGgxqOx6V8KG0b1yMG:eKprsWTFOsKsnGFOsKsnG
TLSH:	75C522124A967053FE9834F329A9A371305AB373A2B48DE79073B56C67911C1C1E3F6E
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....Ig............................cM............@...........................(.....w.(...@..................................o..P..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x434d63
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NO_ISOLATION, TERMINAL_SERVER_AWARE
Time Stamp:	0x6749C7ED [Fri Nov 29 13:55:57 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	028d0ca031b065037993ec6f91b10058

Entrypoint Preview

Instruction
call 00007F2B3987B56Bh
jmp 00007F2B3987B189h
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007F2B3987B31Fh
neg eax
pop ecx
sbb eax, eax
neg eax
dec eax
pop ebp
ret
push ebp
mov ebp, esp
cmp dword ptr [00449468h], FFFFFFFFh
push dword ptr [ebp+08h]
jne 00007F2B3987B319h
call 00007F2B3987D111h
jmp 00007F2B3987B31Dh
push 00449468h
call 00007F2B3987D094h
pop ecx
neg eax
pop ecx
sbb eax, eax
not eax
and eax, dword ptr [ebp+08h]
pop ebp
ret
push 00000008h
push 00447970h
call 00007F2B3987B85Ah
and dword ptr [ebp-04h], 00000000h
mov eax, 00005A4Dh
cmp word ptr [00400000h], ax
jne 00007F2B3987B36Fh
mov eax, dword ptr [0040003Ch]
cmp dword ptr [eax+00400000h], 00004550h
jne 00007F2B3987B35Eh
mov ecx, 0000010Bh
cmp word ptr [eax+00400018h], cx
jne 00007F2B3987B350h
mov eax, dword ptr [ebp+08h]
mov ecx, 00400000h
sub eax, ecx
push eax
push ecx
call 00007F2B3987B492h
pop ecx
pop ecx
test eax, eax
je 00007F2B3987B339h
cmp dword ptr [eax+24h], 00000000h
jl 00007F2B3987B333h
mov dword ptr [ebp-04h], FFFFFFFEh
mov al, 01h
jmp 00007F2B3987B331h
mov eax, dword ptr [ebp-14h]
mov eax, dword ptr [eax]
xor ecx, ecx
cmp dword ptr [eax], C0000005h
sete cl
mov eax, ecx
ret
mov esp, dword ptr [ebp-18h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x46fa0	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x280000	0x308	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4b000	0x2e5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x42180	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4713c	0x14c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x408ac	0x40a00	2c592dabfd294537cdf6837a5f453ee5	False	0.47352892287234044	data	6.942617427597996	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x42000	0x5ed4	0x6000	ebdb1f01f7f1ca4f49d6e5a676dbb19d	False	0.4101155598958333	TeX font metric data	4.71785049779392	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x48000	0x1b7c	0x1000	b01b0f17d4a6745f365137a4a7caf03e	False	0.46533203125	data	4.811144626576604	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.usa	0x4a000	0x8	0x200	2f184b9d44b92d6e6e8514fe402f986e	False	0.03125	OpenPGP Secret Key	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4b000	0x2e5c	0x3000	63b0d786179a93b99213cb0f68e1bb4a	False	0.78564453125	data	6.675839833623363	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x4e000	0x118400	0x118400	82c995491e72a015be9da9c3ee93e4a2	False	1.0003144862288136	data	7.9998332225365765	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x167000	0x118400	0x118400	82c995491e72a015be9da9c3ee93e4a2	False	1.0003144862288136	data	7.9998332225365765	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x280000	0x308	0x400	7a06dda05a8b10ecac1792c3c5d80c80	False	0.3994140625	data	4.339212002882091	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x280058	0x2b0	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5261627906976745

Imports

DLL	Import
KERNEL32.dll	CloseHandle, CompareStringW, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSize, GetFileType, GetLastError, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadFile, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WideCharToMultiByte, WriteConsoleW, WriteFile
USER32.dll	BeginPaint, CreateWindowExW, DefWindowProcW, DispatchMessageW, EndPaint, GetMessageW, PostQuitMessage, RegisterClassW, ShowWindow, TranslateMessage, UpdateWindow
GDI32.dll	TextOutW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-09T13:20:57.109986+0100	2057945	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz)	1	192.168.2.6	53277	1.1.1.1	53	UDP
2025-01-09T13:20:57.109986+0100	2057983	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz)	1	192.168.2.6	53277	1.1.1.1	53	UDP
2025-01-09T13:20:57.109986+0100	2058685	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz)	1	192.168.2.6	53277	1.1.1.1	53	UDP
2025-01-09T13:20:57.125700+0100	2057949	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz)	1	192.168.2.6	51060	1.1.1.1	53	UDP
2025-01-09T13:20:57.125700+0100	2057981	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz)	1	192.168.2.6	51060	1.1.1.1	53	UDP
2025-01-09T13:20:57.125700+0100	2058683	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz)	1	192.168.2.6	51060	1.1.1.1	53	UDP
2025-01-09T13:20:57.146926+0100	2057929	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz)	1	192.168.2.6	49477	1.1.1.1	53	UDP
2025-01-09T13:20:57.146926+0100	2057979	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz)	1	192.168.2.6	49477	1.1.1.1	53	UDP
2025-01-09T13:20:57.146926+0100	2058681	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz)	1	192.168.2.6	49477	1.1.1.1	53	UDP
2025-01-09T13:20:57.162925+0100	2057931	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz)	1	192.168.2.6	58820	1.1.1.1	53	UDP
2025-01-09T13:20:57.162925+0100	2057977	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz)	1	192.168.2.6	58820	1.1.1.1	53	UDP
2025-01-09T13:20:57.162925+0100	2058679	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz)	1	192.168.2.6	58820	1.1.1.1	53	UDP
2025-01-09T13:20:57.173854+0100	2057925	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz)	1	192.168.2.6	63137	1.1.1.1	53	UDP
2025-01-09T13:20:57.173854+0100	2057973	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz)	1	192.168.2.6	63137	1.1.1.1	53	UDP
2025-01-09T13:20:57.173854+0100	2058675	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz)	1	192.168.2.6	63137	1.1.1.1	53	UDP
2025-01-09T13:20:57.185723+0100	2057927	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz)	1	192.168.2.6	57194	1.1.1.1	53	UDP
2025-01-09T13:20:57.185723+0100	2057975	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz)	1	192.168.2.6	57194	1.1.1.1	53	UDP
2025-01-09T13:20:57.185723+0100	2058677	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz)	1	192.168.2.6	57194	1.1.1.1	53	UDP
2025-01-09T13:20:57.196529+0100	2057943	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz)	1	192.168.2.6	52786	1.1.1.1	53	UDP
2025-01-09T13:20:57.196529+0100	2057971	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz)	1	192.168.2.6	52786	1.1.1.1	53	UDP
2025-01-09T13:20:57.196529+0100	2058673	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz)	1	192.168.2.6	52786	1.1.1.1	53	UDP
2025-01-09T13:20:57.207837+0100	2057935	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz)	1	192.168.2.6	64534	1.1.1.1	53	UDP
2025-01-09T13:20:57.207837+0100	2057969	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz)	1	192.168.2.6	64534	1.1.1.1	53	UDP
2025-01-09T13:20:57.207837+0100	2058671	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz)	1	192.168.2.6	64534	1.1.1.1	53	UDP
2025-01-09T13:20:57.891992+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49699	104.102.49.254	443	TCP
2025-01-09T13:20:58.386121+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.6	49699	104.102.49.254	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 13:20:57.233057022 CET	49699	443	192.168.2.6	104.102.49.254
Jan 9, 2025 13:20:57.233153105 CET	443	49699	104.102.49.254	192.168.2.6
Jan 9, 2025 13:20:57.233242035 CET	49699	443	192.168.2.6	104.102.49.254
Jan 9, 2025 13:20:57.235773087 CET	49699	443	192.168.2.6	104.102.49.254
Jan 9, 2025 13:20:57.235811949 CET	443	49699	104.102.49.254	192.168.2.6
Jan 9, 2025 13:20:57.891772985 CET	443	49699	104.102.49.254	192.168.2.6
Jan 9, 2025 13:20:57.891992092 CET	49699	443	192.168.2.6	104.102.49.254
Jan 9, 2025 13:20:57.895191908 CET	49699	443	192.168.2.6	104.102.49.254
Jan 9, 2025 13:20:57.895226955 CET	443	49699	104.102.49.254	192.168.2.6
Jan 9, 2025 13:20:57.895689011 CET	443	49699	104.102.49.254	192.168.2.6
Jan 9, 2025 13:20:57.933861017 CET	49699	443	192.168.2.6	104.102.49.254
Jan 9, 2025 13:20:57.979338884 CET	443	49699	104.102.49.254	192.168.2.6
Jan 9, 2025 13:20:58.386257887 CET	443	49699	104.102.49.254	192.168.2.6
Jan 9, 2025 13:20:58.386324883 CET	443	49699	104.102.49.254	192.168.2.6
Jan 9, 2025 13:20:58.386347055 CET	443	49699	104.102.49.254	192.168.2.6
Jan 9, 2025 13:20:58.386363983 CET	49699	443	192.168.2.6	104.102.49.254
Jan 9, 2025 13:20:58.386390924 CET	443	49699	104.102.49.254	192.168.2.6
Jan 9, 2025 13:20:58.386413097 CET	443	49699	104.102.49.254	192.168.2.6
Jan 9, 2025 13:20:58.386430025 CET	49699	443	192.168.2.6	104.102.49.254
Jan 9, 2025 13:20:58.386441946 CET	49699	443	192.168.2.6	104.102.49.254
Jan 9, 2025 13:20:58.386444092 CET	443	49699	104.102.49.254	192.168.2.6
Jan 9, 2025 13:20:58.386470079 CET	49699	443	192.168.2.6	104.102.49.254
Jan 9, 2025 13:20:58.386502028 CET	49699	443	192.168.2.6	104.102.49.254
Jan 9, 2025 13:20:58.470803022 CET	443	49699	104.102.49.254	192.168.2.6
Jan 9, 2025 13:20:58.470905066 CET	443	49699	104.102.49.254	192.168.2.6
Jan 9, 2025 13:20:58.470957994 CET	49699	443	192.168.2.6	104.102.49.254
Jan 9, 2025 13:20:58.470998049 CET	443	49699	104.102.49.254	192.168.2.6
Jan 9, 2025 13:20:58.471023083 CET	443	49699	104.102.49.254	192.168.2.6
Jan 9, 2025 13:20:58.471035004 CET	49699	443	192.168.2.6	104.102.49.254
Jan 9, 2025 13:20:58.471100092 CET	49699	443	192.168.2.6	104.102.49.254
Jan 9, 2025 13:20:58.473135948 CET	49699	443	192.168.2.6	104.102.49.254
Jan 9, 2025 13:20:58.473150015 CET	443	49699	104.102.49.254	192.168.2.6
Jan 9, 2025 13:21:13.971833944 CET	49229	53	192.168.2.6	1.1.1.1
Jan 9, 2025 13:21:13.976625919 CET	53	49229	1.1.1.1	192.168.2.6
Jan 9, 2025 13:21:13.976701975 CET	49229	53	192.168.2.6	1.1.1.1
Jan 9, 2025 13:21:13.981589079 CET	53	49229	1.1.1.1	192.168.2.6
Jan 9, 2025 13:21:14.478266954 CET	49229	53	192.168.2.6	1.1.1.1
Jan 9, 2025 13:21:14.609929085 CET	49229	53	192.168.2.6	1.1.1.1
Jan 9, 2025 13:21:14.614953995 CET	53	49229	1.1.1.1	192.168.2.6
Jan 9, 2025 13:21:14.615010977 CET	49229	53	192.168.2.6	1.1.1.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 13:20:57.109986067 CET	53277	53	192.168.2.6	1.1.1.1
Jan 9, 2025 13:20:57.118623018 CET	53	53277	1.1.1.1	192.168.2.6
Jan 9, 2025 13:20:57.125699997 CET	51060	53	192.168.2.6	1.1.1.1
Jan 9, 2025 13:20:57.134553909 CET	53	51060	1.1.1.1	192.168.2.6
Jan 9, 2025 13:20:57.146925926 CET	49477	53	192.168.2.6	1.1.1.1
Jan 9, 2025 13:20:57.155565023 CET	53	49477	1.1.1.1	192.168.2.6
Jan 9, 2025 13:20:57.162925005 CET	58820	53	192.168.2.6	1.1.1.1
Jan 9, 2025 13:20:57.172372103 CET	53	58820	1.1.1.1	192.168.2.6
Jan 9, 2025 13:20:57.173854113 CET	63137	53	192.168.2.6	1.1.1.1
Jan 9, 2025 13:20:57.182653904 CET	53	63137	1.1.1.1	192.168.2.6
Jan 9, 2025 13:20:57.185723066 CET	57194	53	192.168.2.6	1.1.1.1
Jan 9, 2025 13:20:57.195085049 CET	53	57194	1.1.1.1	192.168.2.6
Jan 9, 2025 13:20:57.196528912 CET	52786	53	192.168.2.6	1.1.1.1
Jan 9, 2025 13:20:57.205933094 CET	53	52786	1.1.1.1	192.168.2.6
Jan 9, 2025 13:20:57.207837105 CET	64534	53	192.168.2.6	1.1.1.1
Jan 9, 2025 13:20:57.218440056 CET	53	64534	1.1.1.1	192.168.2.6
Jan 9, 2025 13:20:57.219712019 CET	59184	53	192.168.2.6	1.1.1.1
Jan 9, 2025 13:20:57.227392912 CET	53	59184	1.1.1.1	192.168.2.6
Jan 9, 2025 13:21:13.971214056 CET	53	58047	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 13:20:57.109986067 CET	192.168.2.6	1.1.1.1	0x3b81	Standard query (0)	se-blurry.biz	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:20:57.125699997 CET	192.168.2.6	1.1.1.1	0xee59	Standard query (0)	zinc-sneark.biz	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:20:57.146925926 CET	192.168.2.6	1.1.1.1	0x1227	Standard query (0)	dwell-exclaim.biz	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:20:57.162925005 CET	192.168.2.6	1.1.1.1	0x8736	Standard query (0)	formy-spill.biz	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:20:57.173854113 CET	192.168.2.6	1.1.1.1	0xb643	Standard query (0)	covery-mover.biz	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:20:57.185723066 CET	192.168.2.6	1.1.1.1	0x30b4	Standard query (0)	dare-curbys.biz	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:20:57.196528912 CET	192.168.2.6	1.1.1.1	0xed8c	Standard query (0)	print-vexer.biz	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:20:57.207837105 CET	192.168.2.6	1.1.1.1	0x8874	Standard query (0)	impend-differ.biz	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:20:57.219712019 CET	192.168.2.6	1.1.1.1	0x53b5	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 13:20:57.118623018 CET	1.1.1.1	192.168.2.6	0x3b81	Name error (3)	se-blurry.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:20:57.134553909 CET	1.1.1.1	192.168.2.6	0xee59	Name error (3)	zinc-sneark.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:20:57.155565023 CET	1.1.1.1	192.168.2.6	0x1227	Name error (3)	dwell-exclaim.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:20:57.172372103 CET	1.1.1.1	192.168.2.6	0x8736	Name error (3)	formy-spill.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:20:57.182653904 CET	1.1.1.1	192.168.2.6	0xb643	Name error (3)	covery-mover.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:20:57.195085049 CET	1.1.1.1	192.168.2.6	0x30b4	Name error (3)	dare-curbys.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:20:57.205933094 CET	1.1.1.1	192.168.2.6	0xed8c	Name error (3)	print-vexer.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:20:57.218440056 CET	1.1.1.1	192.168.2.6	0x8874	Name error (3)	impend-differ.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 13:20:57.227392912 CET	1.1.1.1	192.168.2.6	0x53b5	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49699	104.102.49.254	443	2196	C:\Users\user\AppData\Roaming\nRIsFYood8.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 12:20:57 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2025-01-09 12:20:58 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 09 Jan 2025 12:20:58 GMT Content-Length: 25665 Connection: close Set-Cookie: sessionid=5d95a3ea9875178caf916e46; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2025-01-09 12:20:58 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2025-01-09 12:20:58 UTC	11186	IN	Data Raw: 3f 6c 3d 6b 6f 72 65 61 6e 61 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6b 6f 72 65 61 6e 61 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e ed 95 9c ea b5 ad ec 96 b4 20 28 4b 6f 72 65 61 6e 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ?l=koreana" onclick="ChangeLanguage( 'koreana' ); return false;"> (Korean)</a><a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a>

Target ID:	0
Start time:	07:20:54
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\h3VYJaQqI9.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\h3VYJaQqI9.exe"
Imagebase:	0xbd0000
File size:	2'605'056 bytes
MD5 hash:	3C183FBDC12AD0C81F49430831397EE1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:20:54
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:20:55
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\h3VYJaQqI9.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\h3VYJaQqI9.exe"
Imagebase:	0xbd0000
File size:	2'605'056 bytes
MD5 hash:	3C183FBDC12AD0C81F49430831397EE1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:20:55
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe"
Imagebase:	0x1e91b6a0000
File size:	11'264 bytes
MD5 hash:	5AFB8CE4DD3923219BD69BD7B5168D91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 87%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	07:20:55
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Roaming\nRIsFYood8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\nRIsFYood8.exe"
Imagebase:	0x8e0000
File size:	919'552 bytes
MD5 hash:	0F4F19C69E1C39AC07570D86BC8357DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:20:55
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:20:56
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Roaming\nRIsFYood8.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\nRIsFYood8.exe"
Imagebase:	0x8e0000
File size:	919'552 bytes
MD5 hash:	0F4F19C69E1C39AC07570D86BC8357DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:20:56
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Roaming\nRIsFYood8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\nRIsFYood8.exe"
Imagebase:	0x8e0000
File size:	919'552 bytes
MD5 hash:	0F4F19C69E1C39AC07570D86BC8357DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	07:21:06
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe"
Imagebase:	0x23366390000
File size:	11'264 bytes
MD5 hash:	5AFB8CE4DD3923219BD69BD7B5168D91
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 87%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	10.1%
Total number of Nodes:	286
Total number of Limit Nodes:	3

Executed Functions

Function 00C048A4 Relevance: 3.1, APIs: 2, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C076A8: RtlAllocateHeap.NTDLL(00000000,00BD9CE2,?,?,00BD9CE2,01EFE920), ref: 00C0A24B

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00C04A05
___raise_securityfailure.LIBCMT ref: 00C04AED

Part of subcall function 00C05525: RaiseException.KERNEL32(E06D7363,00000001,00000003,00C049F9,?,?,?,?,00C049F9,?,00C178CC), ref: 00C05585

Memory Dump Source

Source File: 00000000.00000002.2106730025.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2106697559.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106755539.0000000000C12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106766253.0000000000C18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106775669.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106821049.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106832478.0000000000C1E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106946759.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_h3VYJaQqI9.jbxd

Similarity

API ID: AllocateExceptionFeatureHeapPresentProcessorRaise___raise_securityfailure
String ID:
API String ID: 3152355713-0
Opcode ID: 5561d821e7652f7a715eadff9b1f0e3a0c775acbcfdd25d692bfd244fd4c2191
Instruction ID: 41ec8ae3ed39e4e5718555199d9c4175514a4e175bed878eda7c11d6f8b402f2
Opcode Fuzzy Hash: 5561d821e7652f7a715eadff9b1f0e3a0c775acbcfdd25d692bfd244fd4c2191
Instruction Fuzzy Hash: FF3128B4540209BAD704DF55FC6A7DD77A8FB0A710F10C22AEA18972E1E7B09A84CB85

Function 00C092D2 Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00C076A5,00BD9949), ref: 00C092E8
GetLastError.KERNEL32(?,?,00C076A5,00BD9949), ref: 00C092F3

Memory Dump Source

Source File: 00000000.00000002.2106730025.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2106697559.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106755539.0000000000C12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106766253.0000000000C18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106775669.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106821049.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106832478.0000000000C1E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106946759.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_h3VYJaQqI9.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: f335922f91a7e79ffc8bfa2be3e37608d0a7a53bd0d52cd08c83d6c659ac0d1a
Instruction ID: 7ba6be5f45e865d368123e563394be6670302bd93013cdee2abfe655f7fda48c
Opcode Fuzzy Hash: f335922f91a7e79ffc8bfa2be3e37608d0a7a53bd0d52cd08c83d6c659ac0d1a
Instruction Fuzzy Hash: 85E086326006046BDF112BA4FD1C7CD3B68FB42351F108050F90CCA0F1CA308940DB80

Function 00C076A8 Relevance: 1.5, APIs: 1, Instructions: 37
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00BD9CE2,?,?,00BD9CE2,01EFE920), ref: 00C0A24B

Memory Dump Source

Source File: 00000000.00000002.2106730025.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2106697559.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106755539.0000000000C12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106766253.0000000000C18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106775669.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106821049.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106832478.0000000000C1E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106946759.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_h3VYJaQqI9.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 202594876c54c061a5a4467b04944c42d83dfa41ef8889e9a10c4a09a7317ba3
Instruction ID: 14ca51560ce8505eeef593e27ed283801a82fa9950627ba7a795cc63e51f1316
Opcode Fuzzy Hash: 202594876c54c061a5a4467b04944c42d83dfa41ef8889e9a10c4a09a7317ba3
Instruction Fuzzy Hash: B5F0A731544315ABD62126675C05BAA378CEF827A0F154131FD5D971D1CA33DD00E2E3

Non-executed Functions

Function 00BDA050 Relevance: 12.8, Strings: 10, Instructions: 315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[g~R, xrefs: 00BDA10F
GyPy, xrefs: 00BDA3B8
R{$, xrefs: 00BDA174
GyPy, xrefs: 00BDA1E6
[g~R, xrefs: 00BDA3D6
[g~R, xrefs: 00BDA312
GyPy, xrefs: 00BDA332
R{$, xrefs: 00BDA1FB
Zg~R, xrefs: 00BDA300
GyPy, xrefs: 00BDA344

Memory Dump Source

Source File: 00000000.00000002.2106730025.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2106697559.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106755539.0000000000C12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106766253.0000000000C18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106775669.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106821049.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106832478.0000000000C1E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106946759.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_h3VYJaQqI9.jbxd

Similarity

API ID:
String ID: GyPy$GyPy$GyPy$GyPy$R{$$R{$$Zg~R$[g~R$[g~R$[g~R
API String ID: 0-2797620769
Opcode ID: e04557fc7d2e255163b8115777f895f3e87229ab9d160731126530a36c7ec1bc
Instruction ID: 1a55bd08533747022c333a5be99ca9bc1153e4038094a2da26b879aac0bd1cb5
Opcode Fuzzy Hash: e04557fc7d2e255163b8115777f895f3e87229ab9d160731126530a36c7ec1bc
Instruction Fuzzy Hash: AAB15C75A083514F8B148E38ACD523EFBD59B5B22076885A7EC16C73A2FB11DE06E343

Function 00BF0BF0 Relevance: 7.0, Strings: 5, Instructions: 743COMMON

Download Yara Rule

Strings

VT,, xrefs: 00BF162C
VT,, xrefs: 00BF0D78
VT,, xrefs: 00BF1625
VT,, xrefs: 00BF126C
VT,, xrefs: 00BF127A

Memory Dump Source

Source File: 00000000.00000002.2106730025.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2106697559.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106755539.0000000000C12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106766253.0000000000C18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106775669.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106821049.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106832478.0000000000C1E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106946759.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_h3VYJaQqI9.jbxd

Similarity

API ID:
String ID: VT,$VT,$VT,$VT,$VT,
API String ID: 0-3780933927
Opcode ID: c920a55c5f9011cb3a22ab0301d17966c2bde964c12c2e47a983d5eb67de41ca
Instruction ID: 0468bcd7200f94f6d9e08adc4e78f84c50586ad06f67da3f9d65bebcd1fdb15b
Opcode Fuzzy Hash: c920a55c5f9011cb3a22ab0301d17966c2bde964c12c2e47a983d5eb67de41ca
Instruction Fuzzy Hash: 5B424D3B2182048B4A1CDB6896E427D72D7EBE5320B798B9AE7174F7F5CA318C4E4741

Function 00BF2480 Relevance: 6.6, Strings: 5, Instructions: 314
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

~xt, xrefs: 00BF2560
Nf2{, xrefs: 00BF253E
Nf2{, xrefs: 00BF2615
Nf2{, xrefs: 00BF2692
Nf2{, xrefs: 00BF26A0

Memory Dump Source

Source File: 00000000.00000002.2106730025.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2106697559.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106755539.0000000000C12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106766253.0000000000C18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106775669.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106821049.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106832478.0000000000C1E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106946759.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_h3VYJaQqI9.jbxd

Similarity

API ID:
String ID: Nf2{$Nf2{$Nf2{$Nf2{$~xt
API String ID: 0-1782113615
Opcode ID: bb8a8626d7a81285f61d1345017df56e7ba0db1a248c5cf566f3e6f941c5458a
Instruction ID: 10a0ae7f84892770936557bf57c021902b3922c42d57596533a4c3a3fde704db
Opcode Fuzzy Hash: bb8a8626d7a81285f61d1345017df56e7ba0db1a248c5cf566f3e6f941c5458a
Instruction Fuzzy Hash: 7FA1583A6086088B5924A7385DC467E32DBABE53707248B96F715CB3F5EA38DD0D8302

Function 00BF1FB0 Relevance: 5.3, Strings: 4, Instructions: 314
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

_CR, xrefs: 00BF2256
_CR, xrefs: 00BF22E8
_CR, xrefs: 00BF221A
_CR, xrefs: 00BF2224

Memory Dump Source

Source File: 00000000.00000002.2106730025.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2106697559.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106755539.0000000000C12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106766253.0000000000C18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106775669.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106821049.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106832478.0000000000C1E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106946759.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_h3VYJaQqI9.jbxd

Similarity

API ID:
String ID: _CR$_CR$_CR$_CR
API String ID: 0-1519080445
Opcode ID: 6f97760e3c735cc4ed9ffa02c8d494874ab4e09389f29715df54666285075710
Instruction ID: 599ce95b9f12acc2c7aa2653b9e1720eb7d1a7dc2be6ded905ac7453e7b75b44
Opcode Fuzzy Hash: 6f97760e3c735cc4ed9ffa02c8d494874ab4e09389f29715df54666285075710
Instruction Fuzzy Hash: 7BA12A7A2042048FDA288B38A99477E36D7DBDA320F248A45DA11CB3E5DB75CD4FC746

Function 00C00440 Relevance: 5.3, Strings: 4, Instructions: 295
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

]Cz", xrefs: 00C00771
]Cz", xrefs: 00C00553
]Cz", xrefs: 00C00714
]Cz", xrefs: 00C00548

Memory Dump Source

Source File: 00000000.00000002.2106730025.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2106697559.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106755539.0000000000C12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106766253.0000000000C18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106775669.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106821049.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106832478.0000000000C1E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106946759.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_h3VYJaQqI9.jbxd

Similarity

API ID:
String ID: ]Cz"$]Cz"$]Cz"$]Cz"
API String ID: 0-3093854462
Opcode ID: f3bbc6e44488c228d5ade32d2fec9d84dc9f99528d37cdbacb7d1c0da7970c56
Instruction ID: d0b15efd68066670e0379ed7f87dbca134cbfe79321f6c95662e47868cbaffe0
Opcode Fuzzy Hash: f3bbc6e44488c228d5ade32d2fec9d84dc9f99528d37cdbacb7d1c0da7970c56
Instruction Fuzzy Hash: FAA15B3A2047000BDD28DA2959D537E7686EBDA330F37C616EA62DB2E5D734CE45C682

Function 00BE01DF Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 248
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Lb, xrefs: 00BE0226
Lb, xrefs: 00BE0243

Memory Dump Source

Source File: 00000000.00000002.2106730025.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2106697559.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106755539.0000000000C12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106766253.0000000000C18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106775669.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106821049.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106832478.0000000000C1E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106946759.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_h3VYJaQqI9.jbxd

Similarity

API ID:
String ID: Lb$Lb
API String ID: 0-2286632639
Opcode ID: 3b161d3a2be0100a39e37c247a45192c3f7a7975355a4ab0c412221a37b34eae
Instruction ID: 1a33e5fe2111c0b29c0e532861269a8563be2014f020cc259729dba6731249c9
Opcode Fuzzy Hash: 3b161d3a2be0100a39e37c247a45192c3f7a7975355a4ab0c412221a37b34eae
Instruction Fuzzy Hash: 4181493A6195804B4E2C472A59E427CA2D7EFE9330738C3AFD9234B7F4DB354C868641

Function 00C01C20 Relevance: 4.0, Strings: 3, Instructions: 289
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

o~n, xrefs: 00C01E68
o~n, xrefs: 00C01E4A
o~n, xrefs: 00C01CAC

Memory Dump Source

Source File: 00000000.00000002.2106730025.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2106697559.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106755539.0000000000C12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106766253.0000000000C18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106775669.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106821049.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106832478.0000000000C1E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106946759.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_h3VYJaQqI9.jbxd

Similarity

API ID:
String ID: o~n$o~n$o~n
API String ID: 0-435956815
Opcode ID: bfeecfed3c8b42ecba76b8ec5ece915ec33b0220e73efbb414ec10fbf6539435
Instruction ID: f58e522b70eaddd4c4a7cfcc9310e69e75cffdd0e1cb9a931784933f0e47f88f
Opcode Fuzzy Hash: bfeecfed3c8b42ecba76b8ec5ece915ec33b0220e73efbb414ec10fbf6539435
Instruction Fuzzy Hash: 31A1E37B2052018BEA2C4B1495E427DF297ABE6360B39864FDD631BBE0C7325E46D781

Function 00BDFFCC Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 432COMMON

Download Yara Rule

Strings

"GG, xrefs: 00BE139D

Memory Dump Source

Source File: 00000000.00000002.2106730025.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2106697559.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106755539.0000000000C12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106766253.0000000000C18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106775669.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106821049.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106832478.0000000000C1E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106946759.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_h3VYJaQqI9.jbxd

Similarity

API ID:
String ID: "GG
API String ID: 0-1669663640
Opcode ID: 0685ea22bda2f3cf71439c9acd7d97336257c141604cb29a279acf6f1e771d42
Instruction ID: da1f5fa79232233117af9239c193b2e8c93b0ab9625604ab35487092cf368f9e
Opcode Fuzzy Hash: 0685ea22bda2f3cf71439c9acd7d97336257c141604cb29a279acf6f1e771d42
Instruction Fuzzy Hash: D7E1693B619181474A2C872999E427DA2D3EFE5330B38C7ABD9274B7F4DB354C86C642

Function 00BFED30 Relevance: 1.5, Strings: 1, Instructions: 293COMMON

Download Yara Rule

Strings

bad array new length, xrefs: 00BFEDC1, 00BFEFA5, 00BFF117, 00BFF176

Memory Dump Source

Source File: 00000000.00000002.2106730025.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2106697559.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106755539.0000000000C12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106766253.0000000000C18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106775669.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106821049.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106832478.0000000000C1E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106946759.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_h3VYJaQqI9.jbxd

Similarity

API ID:
String ID: bad array new length
API String ID: 0-1242854226
Opcode ID: 3fcea01f20315f976443ad665433a1e4b19f076ae5bd39736c96fa629baa5d05
Instruction ID: 52af1b2ba4d063ab586b6ca2619a42fd43bf994281c3af7c52b1872162e3b302
Opcode Fuzzy Hash: 3fcea01f20315f976443ad665433a1e4b19f076ae5bd39736c96fa629baa5d05
Instruction Fuzzy Hash: 94A10B3A2095044F5E28CE395DD477D26D3EADA370735CAA6E632CB6F8C635CC4AC291

Function 00BDA9B0 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106730025.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2106697559.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106755539.0000000000C12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106766253.0000000000C18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106775669.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106821049.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106832478.0000000000C1E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106946759.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_h3VYJaQqI9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83f49e490efa7062c6827a3055f8e0e26a2d20a8d5c344b53362f27b54f4f5ed
Instruction ID: 793753dca72ab7194a7c8be3dc819c72b1c572e3835b4d7e29ad4b58ca4ffce5
Opcode Fuzzy Hash: 83f49e490efa7062c6827a3055f8e0e26a2d20a8d5c344b53362f27b54f4f5ed
Instruction Fuzzy Hash: 9AB11E327151144B8E2C8A6C89E437DF7C7EF9A360725829BE8139B7E0EA249C468743

Function 00BDA4E0 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106730025.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2106697559.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106755539.0000000000C12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106766253.0000000000C18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106775669.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106821049.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106832478.0000000000C1E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106946759.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_h3VYJaQqI9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8cf10ad5cc45ced2fb8e8f83c8b844f8b0f9964e729c015187576b3a1ec0234
Instruction ID: be2da184957d21eb89cf0b8831c30a11227f261f6a4864ed01c407873fd72f43
Opcode Fuzzy Hash: d8cf10ad5cc45ced2fb8e8f83c8b844f8b0f9964e729c015187576b3a1ec0234
Instruction Fuzzy Hash: EFB1183AA045008F8A54CA28A58562DF7D6EBAA3347298683D911CB7F4F735DC468783

Function 00C07F65 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,1AD27513,?,00C08074,?,00BD9949,00000000,00000000), ref: 00C08026

Strings

api-ms-, xrefs: 00C07FBC
ext-ms-, xrefs: 00C07FD0

Memory Dump Source

Source File: 00000000.00000002.2106730025.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2106697559.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106755539.0000000000C12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106766253.0000000000C18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106775669.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106821049.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106832478.0000000000C1E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106946759.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_h3VYJaQqI9.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: ba9dbcd0f009a595362611282c826890e108792511da1f0ef55d6cee340ced2a
Instruction ID: 63f189bb42617deaa2ee3ac000046d812c1cc99dbbf34758b3f6f8ed07e6c995
Opcode Fuzzy Hash: ba9dbcd0f009a595362611282c826890e108792511da1f0ef55d6cee340ced2a
Instruction Fuzzy Hash: F721E731A09212EBDB219B65DC40B9E3768EF42774F258220F956A72D0DF71EE08D6E0

Function 00BE0067 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 00BE00B1
CloseHandle.KERNEL32(?), ref: 00BE16D6

Strings

Lb, xrefs: 00BE16BD

Memory Dump Source

Source File: 00000000.00000002.2106730025.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2106697559.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106755539.0000000000C12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106766253.0000000000C18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106775669.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106821049.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106832478.0000000000C1E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106946759.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_h3VYJaQqI9.jbxd

Similarity

API ID: CloseFileHandleRead
String ID: Lb
API String ID: 2331702139-1610255346
Opcode ID: c967e92710b81930e85e87d722def7d9b7a7b8e7a662767bc4a2d542171e6521
Instruction ID: 68af3a212de30c7887028a91c71c67594feec837de3fe25c86887f71df0df576
Opcode Fuzzy Hash: c967e92710b81930e85e87d722def7d9b7a7b8e7a662767bc4a2d542171e6521
Instruction Fuzzy Hash: D141483A5190458B8E2C072659E467DF3E3EFA5320B38C5EFD91357BB2EB350C868646

Function 00BDD384 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 00BDD3CE
CloseHandle.KERNEL32(?), ref: 00BDE984

Strings

Lb, xrefs: 00BDE96B

Memory Dump Source

Source File: 00000000.00000002.2106730025.0000000000BD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BD0000, based on PE: true

Associated: 00000000.00000002.2106697559.0000000000BD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106755539.0000000000C12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106766253.0000000000C18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106775669.0000000000C19000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106821049.0000000000C1B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106832478.0000000000C1E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106946759.0000000000E50000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bd0000_h3VYJaQqI9.jbxd

Similarity

API ID: CloseFileHandleRead
String ID: Lb
API String ID: 2331702139-1610255346
Opcode ID: b92a74268e783cc714bdf1a87421c432de0ba947d8e42248f0f29532c859d1c4
Instruction ID: 543d2b6e4e87156b8436345b4d9836d0a908f836c279f6263dbcfe48654716a9
Opcode Fuzzy Hash: b92a74268e783cc714bdf1a87421c432de0ba947d8e42248f0f29532c859d1c4
Instruction Fuzzy Hash: 574127355145058B8E3C06645DF527CF2D2EFA6330B3882DFD9A366BF0FA364C868606

Analysis Process: h3VYJaQqI9.exePID: 4560, Parent PID: 280COMMON

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.2%
Total number of Nodes:	826
Total number of Limit Nodes:	30

Executed Functions

Function 0041FEAF Relevance: 13.8, APIs: 9, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041FB65: CreateFileW.KERNELBASE(?,00000000,?,0041FF58,?,?,00000000,?,0041FF58,?,0000000C), ref: 0041FB82

GetLastError.KERNEL32 ref: 0041FFC3
__dosmaperr.LIBCMT ref: 0041FFCA
GetFileType.KERNELBASE(00000000), ref: 0041FFD6
GetLastError.KERNEL32 ref: 0041FFE0
__dosmaperr.LIBCMT ref: 0041FFE9
CloseHandle.KERNEL32(00000000), ref: 00420009
CloseHandle.KERNEL32(?), ref: 00420156
GetLastError.KERNEL32 ref: 00420188
__dosmaperr.LIBCMT ref: 0042018F

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 87ef763bbd003f1d2de960a3db6ca709dde3cd444b7d1b6f895e6fd8deb0075d
Instruction ID: c043dc6610800097a8c7d9f7805d75e01504a092e95ab29a96a2aa982ce353c5
Opcode Fuzzy Hash: 87ef763bbd003f1d2de960a3db6ca709dde3cd444b7d1b6f895e6fd8deb0075d
Instruction Fuzzy Hash: FCA14732A041559FCF19DF28EC91BAE3BA1AB46314F18016EF801EB3D2C7398957D759

Function 004038C0 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 401
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(shell32.dll), ref: 0040390A

Strings

.exe, xrefs: 004039E4, 004039F5, 00403C28, 00403C39
open, xrefs: 00403E04, 00403E25
shell32.dll, xrefs: 00403905
MZx, xrefs: 0040394F, 00403DC3

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: LibraryLoad
String ID: .exe$MZx$open$shell32.dll
API String ID: 1029625771-1920753156
Opcode ID: 7159a51a4fdb2a7949edf891d5bf010cc282324a26eac507637558cc1e206821
Instruction ID: 509210d3ebec96c016fa0aca3564ff16a3fac877aac10b1bc4138c660d5e2b0c
Opcode Fuzzy Hash: 7159a51a4fdb2a7949edf891d5bf010cc282324a26eac507637558cc1e206821
Instruction Fuzzy Hash: 07E13A312083408BE718CF28C945B6FBBE5BF85305F24462DF089AB2D2D779E6458B5A

Function 00418EB1 Relevance: 7.7, APIs: 5, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__alloca_probe_16.LIBCMT ref: 00418F38
__alloca_probe_16.LIBCMT ref: 00418FF9
__freea.LIBCMT ref: 00419060

Part of subcall function 00415426: HeapAlloc.KERNEL32(00000000,?,?,?,00407448,?,?,004038E3,0000000C), ref: 00415458

__freea.LIBCMT ref: 00419075
__freea.LIBCMT ref: 00419085

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: b34ec7378ed80fdedf5b3cd9fd74b686b7ca20f323847e8b562edae9002d46d2
Instruction ID: 5a58541e407446bb28ced3c61191459bbd43b91e1c19ac61a4b7f941500e9d67
Opcode Fuzzy Hash: b34ec7378ed80fdedf5b3cd9fd74b686b7ca20f323847e8b562edae9002d46d2
Instruction Fuzzy Hash: 1451E572600206AFDB249E65CC81EFB3AA9EF48754B15012EFD05D7250EB39DD81C7A9

Function 00411432 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,0041142C,00000016,0040BD98,?,?,D21CAE0E,0040BD98,?), ref: 00411443
TerminateProcess.KERNEL32(00000000,?,0041142C,00000016,0040BD98,?,?,D21CAE0E,0040BD98,?), ref: 0041144A
ExitProcess.KERNEL32 ref: 0041145C

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: fdc9db31659cbe28c415a8b0888f718e5b65b0592ff8268f2e9698ce38014a47
Instruction ID: 3fe6f93935658f8ab67006e652a10cd0383134051074610e396dae59c432ecd7
Opcode Fuzzy Hash: fdc9db31659cbe28c415a8b0888f718e5b65b0592ff8268f2e9698ce38014a47
Instruction Fuzzy Hash: 5DD09E31100148ABCF117F61EC0DA993F2AAF407557858025FA0A56131CB369993AA58

Function 00416DAF Relevance: 3.2, APIs: 2, Instructions: 191
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004164C2: GetConsoleOutputCP.KERNEL32(D21CAE0E,00000000,00000000,0040BDB8), ref: 00416525

WriteFile.KERNELBASE(FFBF5BE8,00000000,?,0040BC75,00000000,00000000,00000000,00000000,?,?,0040BC75,?,?,004328B8,00000010,0040BDB8), ref: 00416F18
GetLastError.KERNEL32(?,0040BC75,?,?,004328B8,00000010,0040BDB8,?,?,00000000,?), ref: 00416F22

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: f464ed671a76038d08897ffb1fb948258ea98ac2c0acb72c9529f46f39d22c7a
Instruction ID: cb585fdb2482b244a4d3bef91fab55670e651a1c55327e645a67e42ff2a15e13
Opcode Fuzzy Hash: f464ed671a76038d08897ffb1fb948258ea98ac2c0acb72c9529f46f39d22c7a
Instruction Fuzzy Hash: 4461D775D04249AFDF10CFA8C844AEF7FB9AF09308F16415AF804A7252D379D986CB69

Function 0041C196 Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041BCC6: GetOEMCP.KERNEL32(00000000,?,?,00000000,?), ref: 0041BCF1

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,0041BFDD,?,00000000,?,00000000,?), ref: 0041C1F7
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,0041BFDD,?,00000000,?,00000000,?), ref: 0041C239

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 828569ccb8714ae48c68675b61d17cc33801355f1d7dcceba0b097672ed0b71e
Instruction ID: 9d2c2a29c4c478eab1b1f1167368467c00d7c014d6dc0482c332f282e065d277
Opcode Fuzzy Hash: 828569ccb8714ae48c68675b61d17cc33801355f1d7dcceba0b097672ed0b71e
Instruction Fuzzy Hash: 4F512570E802448FDB24DFB6CC806EBBBE4EF91304F1485AFD09687251D7789982CB99

Function 0041479B Relevance: 3.0, APIs: 2, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringEx.KERNELBASE(?,00418F9F,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 004147CF
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00418F9F,?,?,00000000,?,00000000), ref: 004147ED

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: f1a5938a5601bf9906601374711c41b1ceba9ab1f18a1f51be4aa21c000efe52
Instruction ID: 3e5a2d8e864b1ea57e26fed8c24e94031886aaccac2bb831807e976e79a71a16
Opcode Fuzzy Hash: f1a5938a5601bf9906601374711c41b1ceba9ab1f18a1f51be4aa21c000efe52
Instruction Fuzzy Hash: D7F07A3250011ABBCF125F91DC05DDE3F66FF883A4F068115FA2826160CB36C9B2AB95

Function 00403EE0 Relevance: 3.0, APIs: 2, Instructions: 22
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,004038C0,00000000,00000000,D21CAE0E), ref: 00403F06
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00403F0F

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: CreateObjectSingleThreadWait
String ID:
API String ID: 1891408510-0
Opcode ID: af3e1afe4429c917983b20489d93451d494df3de1508f1cbbf6b72916d2180c4
Instruction ID: 9ada69c4f7ca39928594594d106047c4e65b58e1a3541a0c5f1fc3d2bb6a9bfa
Opcode Fuzzy Hash: af3e1afe4429c917983b20489d93451d494df3de1508f1cbbf6b72916d2180c4
Instruction Fuzzy Hash: 10E08675758300BBD710EF24EC07F1A3BE4BB48B05F914A39F295A62D0D674B404965E

Function 00414D5D Relevance: 2.6, APIs: 2, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE(00000000,00000000,CF830579,?,00414C44,00000000,CF830579,00432C48,0000000C,00414D00,0040BD0B,?), ref: 00414DB3
GetLastError.KERNEL32(?,00414C44,00000000,CF830579,00432C48,0000000C,00414D00,0040BD0B,?), ref: 00414DBD

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: cf05b64a0bbd980239ba65db1c1c6f103e722fbee84b5f4660c8636332b429dd
Instruction ID: ceb111eb948f9657ebdeceefd9bfba8073a9b29251fc9eed98a790ab6a2c0bec
Opcode Fuzzy Hash: cf05b64a0bbd980239ba65db1c1c6f103e722fbee84b5f4660c8636332b429dd
Instruction Fuzzy Hash: 06114C336041241ADB246635BC867FE6749CBC1738F290A5FF808C72C1DE388CC2929C

Function 0041BD9A Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32(E8458D00,?,0041BFE9,0041BFDD,00000000), ref: 0041BDCC

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 12fd2c2f15e29548472ec9e3af7dcab5f7542e97739875518ffedda74a0b877f
Instruction ID: f4a0d71df1ffb53e0e19ffd43ad9d64dc8bb1157ec8b6952aaf00382241378c0
Opcode Fuzzy Hash: 12fd2c2f15e29548472ec9e3af7dcab5f7542e97739875518ffedda74a0b877f
Instruction Fuzzy Hash: 4E516D715042589EDB218F28CD80BF67BBCEB55304F2405EEE699C7182C3789D86DFA4

Function 004143CC Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672b8ef80a1082ffe797a66fe554d50d659c07feffc08aafbed84bfcd02d8428
Instruction ID: d7b25293e7db54f96000769fea1aeb7630fb582f3d7d0c2fc2c622193e8995c8
Opcode Fuzzy Hash: 672b8ef80a1082ffe797a66fe554d50d659c07feffc08aafbed84bfcd02d8428
Instruction Fuzzy Hash: 620128373002255F9F25CF6EEC40ADB33A6FBC07243148136FA20CB684DA34D8829799

Function 00413EF2 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wsopen_s.LIBCMT ref: 00413F2C

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 86b5a37895ede01666616fd7f26fe40e68c10059cd8d9e9be6e6956d389c093e
Instruction ID: be02312cd07e58b193bdeee16c95f5fde802225de20a5ed1c7ae4422ede983e8
Opcode Fuzzy Hash: 86b5a37895ede01666616fd7f26fe40e68c10059cd8d9e9be6e6956d389c093e
Instruction Fuzzy Hash: 46110375A0420AAFCB05DF58E9419DB7BF9EF48304F04406AF809AB351D630EA15CBA8

Function 00414094 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,0000000C,?,?,004152D9,00000001,00000364,?,00000002,000000FF,?,?,0040E077,00415469), ref: 004140D5

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 14b8f9ac75b8980b6812ff089cde42dce8ba1f12a125e940596199f5ca44a4d3
Instruction ID: 7a371578952800d697783e4f14dfa84f7cfeb60b6085e341501622e7ba028638
Opcode Fuzzy Hash: 14b8f9ac75b8980b6812ff089cde42dce8ba1f12a125e940596199f5ca44a4d3
Instruction Fuzzy Hash: E9F0BB35605625ABDB215A63DC05BDB3F489FC5760B158123B904EB1A0CA68D9D1819D

Function 0041FB65 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,00000000,?,0041FF58,?,?,00000000,?,0041FF58,?,0000000C), ref: 0041FB82

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 32f1cee3c5876f16e38c750b1e34007635eee82df29fa4d42b06ff8a7cf34f14
Instruction ID: 28cfbda6749b70c9de2fbd9d245fef773b8951bf2dd70127050a9a6bf190398c
Opcode Fuzzy Hash: 32f1cee3c5876f16e38c750b1e34007635eee82df29fa4d42b06ff8a7cf34f14
Instruction Fuzzy Hash: 05D06C3210010DFBDF128F84DC06EDA3FAAFB4C714F018010FA5856021C732E832AB94

Non-executed Functions

Function 00465350 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Strings

/3|>, xrefs: 00465461
/3|>, xrefs: 004655EC
/3|>, xrefs: 004655E2
/3|>, xrefs: 0046561D

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID:
String ID: /3|>$/3|>$/3|>$/3|>
API String ID: 0-3543310136
Opcode ID: e58870a6134ed3141835de5a4382cd7e3caecbc90aa8fe60e372f391fd8412de
Instruction ID: bd8209315f958c5f7e4c17a7e45d01605d9c752a3660bcc95bae0e0fa50928dc
Opcode Fuzzy Hash: e58870a6134ed3141835de5a4382cd7e3caecbc90aa8fe60e372f391fd8412de
Instruction Fuzzy Hash: F9A1EC3A205E008FCA248F18D9C452F72E19B95731FA48717D956CB3E5FA78DC819B4B

Function 0041EBA1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(3FC00000,2000000B,0041EEBF,00000002,00000000,?,?,?,0041EEBF,?,00000000), ref: 0041EC3A
GetLocaleInfoW.KERNEL32(3FC00000,20001004,0041EEBF,00000002,00000000,?,?,?,0041EEBF,?,00000000), ref: 0041EC63
GetACP.KERNEL32(?,?,0041EEBF,?,00000000), ref: 0041EC78

Strings

OCP, xrefs: 0041EBF5
ACP, xrefs: 0041EBBF

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: ae0517b9bda7198648f1cbed6e652a34a4e79f3510d6da964a24c0c18db862fc
Instruction ID: 81a9d30784dd22d719d41cfb92251f6e816e7a4bc62bdb22216d11a6fc444572
Opcode Fuzzy Hash: ae0517b9bda7198648f1cbed6e652a34a4e79f3510d6da964a24c0c18db862fc
Instruction Fuzzy Hash: 92218E3AB04101AADB34CF56CD05AD773A7AF50B50B568826FD0AD7211F736EE81C798

Function 0041ED76 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041513B: GetLastError.KERNEL32(?,00000008,004176BA), ref: 0041513F
Part of subcall function 0041513B: SetLastError.KERNEL32(00000000,00000001,00000002,000000FF), ref: 004151E1

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0041EE82
IsValidCodePage.KERNEL32(00000000), ref: 0041EECB
IsValidLocale.KERNEL32(?,00000001), ref: 0041EEDA
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0041EF22
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0041EF41

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 1f142972335a53d1e2416df24534188105d76140515381cc06687f0020485920
Instruction ID: eeabbf5cfaddba79e94d22b4dd48aaeada7d5b667952b3c456454f902e5df75d
Opcode Fuzzy Hash: 1f142972335a53d1e2416df24534188105d76140515381cc06687f0020485920
Instruction Fuzzy Hash: B4519075A00315ABDF20DFA6DC41BEB77B8FF48700F54442AAD14E7290E7789980CB69

Function 0041E412 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041513B: GetLastError.KERNEL32(?,00000008,004176BA), ref: 0041513F
Part of subcall function 0041513B: SetLastError.KERNEL32(00000000,00000001,00000002,000000FF), ref: 004151E1

GetACP.KERNEL32(?,?,?,?,?,?,00411EE1,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0041E4D3
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00411EE1,?,?,?,00000055,?,-00000050,?,?), ref: 0041E4FE
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0041E661

Strings

utf8, xrefs: 0041E5D0

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: d2e92ad91d33230e432f41824a885b4f53a9106f8c4d9673b702c20c8aa694f9
Instruction ID: 5e8f11e88951c7c1c9557d61489bca48d24d80555c5ca4e9e4b82e7d51b65768
Opcode Fuzzy Hash: d2e92ad91d33230e432f41824a885b4f53a9106f8c4d9673b702c20c8aa694f9
Instruction Fuzzy Hash: 8F711775A00611AADB24AB77CC42BE773A8EF54708F14442BFD05D7281FB7CE9818799

Function 00415635 Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 004156C2

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: d8f824a3a597dbe048be884bb3e91045552750dfa5ffe6b567c0d7537b351b3d
Instruction ID: 91afe31f9ab3d507f6121463a8ee3d13cfef47ac4a512e863f990cc27fdcea00
Opcode Fuzzy Hash: d8f824a3a597dbe048be884bb3e91045552750dfa5ffe6b567c0d7537b351b3d
Instruction Fuzzy Hash: 92B15872E00645DFDB119F68C891BEEBBE5EF85310F14816BE815AB341D2389D81CBA9

Function 00407B01 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00407B0D
IsDebuggerPresent.KERNEL32 ref: 00407BD9
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00407BF9
UnhandledExceptionFilter.KERNEL32(?), ref: 00407C03

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: bdb8d4ffe5861b74027a400539b36d4e8f115b4355d90c864d7f04757154f5f6
Instruction ID: ca20a48664bdef0e78e9b146848890f6e34f40b99dedcfcf476291c653997e40
Opcode Fuzzy Hash: bdb8d4ffe5861b74027a400539b36d4e8f115b4355d90c864d7f04757154f5f6
Instruction Fuzzy Hash: 1B314B75D0521CDBDF20DFA0D9497CDBBB8BF04304F1040AAE50DA7290EB756A859F09

Function 0041E825 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 0041513B: GetLastError.KERNEL32(?,00000008,004176BA), ref: 0041513F
Part of subcall function 0041513B: SetLastError.KERNEL32(00000000,00000001,00000002,000000FF), ref: 004151E1

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0041E879
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0041E8C3
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0041E989

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: dd539c89c5381dfdaac91928ad5ed676a1006981e28db1904c6f4bbe4cde2b34
Instruction ID: efc99f0a6d6f1c6c35933ec1b38cf6b3cd41524c9fcadcabef19194d257b4763
Opcode Fuzzy Hash: dd539c89c5381dfdaac91928ad5ed676a1006981e28db1904c6f4bbe4cde2b34
Instruction Fuzzy Hash: EB618CB59101079BDB689F26CD82BEA77A8FF04340F14417BED16C6281F738D981DB58

Function 004077E0 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 004077F6

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 96a2ba3aa580dc615e5e38e6a61e3a4296c942238419a14d8ec0a8789d2e52c4
Instruction ID: 853601205c21894bcdc8f75123652b739dccbac0e00907a06a8c71bf04373a9d
Opcode Fuzzy Hash: 96a2ba3aa580dc615e5e38e6a61e3a4296c942238419a14d8ec0a8789d2e52c4
Instruction Fuzzy Hash: 865180B2E056059FEB18CF54E9857AEBBF0FB48350F14913AD501EB390D378A940CB59

Function 0041B6EA Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7a92f0add20f5243049fdc0791b09eb08ff10391a85524ccbb003bb3367a1d5
Instruction ID: e26fa8b462e3a3bc0dcd1cb195ad12d8a73a1b261898cc61817e46cff9ff25aa
Opcode Fuzzy Hash: b7a92f0add20f5243049fdc0791b09eb08ff10391a85524ccbb003bb3367a1d5
Instruction Fuzzy Hash: 9841A3B5804219AEDB20DF69CC89AEEBBB9EF45304F1441EEE418D3201DB359E858F54

Function 0041EA78 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 0041513B: GetLastError.KERNEL32(?,00000008,004176BA), ref: 0041513F
Part of subcall function 0041513B: SetLastError.KERNEL32(00000000,00000001,00000002,000000FF), ref: 004151E1

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0041EACC

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 22a4290edeb40b255e0ef88b49f21dfdd78c731e0f866b45595c0c5f80cee5a7
Instruction ID: 09566a44d01ac47d2cdad9f49e07ec0328cace9eeb3adbfa8c3b07b4827ecd72
Opcode Fuzzy Hash: 22a4290edeb40b255e0ef88b49f21dfdd78c731e0f866b45595c0c5f80cee5a7
Instruction Fuzzy Hash: D321AF36605206ABDB28DE26DD42AFB73A8EF44314B10407FED02D6241EB78AD81CB58

Function 0041E6FF Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041513B: GetLastError.KERNEL32(?,00000008,004176BA), ref: 0041513F
Part of subcall function 0041513B: SetLastError.KERNEL32(00000000,00000001,00000002,000000FF), ref: 004151E1

EnumSystemLocalesW.KERNEL32(0041E825,00000001,00000000,?,-00000050,?,0041EE56,00000000,?,?,?,00000055,?), ref: 0041E771

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 9637497d46bd12567f8eabdc0472934baf484039a92a8dbd1bfa50b3c5102b1b
Instruction ID: f28f85ac1fea5866725ce88a4d547c14bcace0560233e7335010750b785556cb
Opcode Fuzzy Hash: 9637497d46bd12567f8eabdc0472934baf484039a92a8dbd1bfa50b3c5102b1b
Instruction Fuzzy Hash: F0112C3A6007019FEB189F3AD8916FAB791FF80368B14442ED95747740E7757843C744

Function 0041ECA7 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 0041513B: GetLastError.KERNEL32(?,00000008,004176BA), ref: 0041513F
Part of subcall function 0041513B: SetLastError.KERNEL32(00000000,00000001,00000002,000000FF), ref: 004151E1

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0041EB22,00000000,00000000,?), ref: 0041ECD3

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: f78a423274370276909a02de998c8e2fb19ace7283c045400ea6aabaf7fbf6a9
Instruction ID: 6e93bce3e8a9596dc076f6a872b53f7d727095e2315f943068ff1bd0afa52940
Opcode Fuzzy Hash: f78a423274370276909a02de998c8e2fb19ace7283c045400ea6aabaf7fbf6a9
Instruction Fuzzy Hash: 56F02D3A600113BFDB245B26EC09BFB7764EB40354F19442AEC06A3280EA78FDC2C694

Function 0041E60D Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0041513B: GetLastError.KERNEL32(?,00000008,004176BA), ref: 0041513F
Part of subcall function 0041513B: SetLastError.KERNEL32(00000000,00000001,00000002,000000FF), ref: 004151E1

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0041E661

Strings

utf8, xrefs: 0041E5D0

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID: utf8
API String ID: 3736152602-905460609
Opcode ID: 2152daac5f42ae25a129a23ac8d896ce75da55d7df13b3f6dfbcda70826a3db5
Instruction ID: d369d087f973f2c2e7390e19339e1b86590d8fa7fa541369cb1b30fd3d4077c9
Opcode Fuzzy Hash: 2152daac5f42ae25a129a23ac8d896ce75da55d7df13b3f6dfbcda70826a3db5
Instruction Fuzzy Hash: B0F0F436A10105ABC714AF25DC45FFA73A8EB84324F40007EAA02D7281EA78AD418758

Function 0041E79A Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041513B: GetLastError.KERNEL32(?,00000008,004176BA), ref: 0041513F
Part of subcall function 0041513B: SetLastError.KERNEL32(00000000,00000001,00000002,000000FF), ref: 004151E1

EnumSystemLocalesW.KERNEL32(0041EA78,00000001,45F1B473,?,-00000050,?,0041EE1A,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0041E7E4

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 7822a5e4b117a09642d2d9f73cbe77476052005b15321de9f48d0f235ef5c92f
Instruction ID: 0c0c1f316863ef4a6d30beb722119c93d5a9d1266b3f20af8045389666d513f6
Opcode Fuzzy Hash: 7822a5e4b117a09642d2d9f73cbe77476052005b15321de9f48d0f235ef5c92f
Instruction Fuzzy Hash: BDF0C23A2003045FEB249F3A9881ABABB95FF80368F15442EFD568B690D6759C82C718

Function 00414138 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0040E0C6: EnterCriticalSection.KERNEL32(?,?,00412EDC,00000000,00432B68,0000000C,00412EA3,0000000C,?,004140C7,0000000C,?,004152D9,00000001,00000364,?), ref: 0040E0D5

EnumSystemLocalesW.KERNEL32(0041412B,00000001,00432BE8,0000000C,0041455A,00000000), ref: 00414170

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 80f246e533dc21f73d9613eff5259b5841ca6d0f841dd3ce2907f16627d73c59
Instruction ID: 198ab3507c4040aae18c9164df511e00e81c972c753b4360ebc7eca8a0771405
Opcode Fuzzy Hash: 80f246e533dc21f73d9613eff5259b5841ca6d0f841dd3ce2907f16627d73c59
Instruction Fuzzy Hash: 14F03C72A14204DFD710EF99E842B9C77B0FB84725F10422BE811DB2A0C7B959409B98

Function 0041E6B4 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041513B: GetLastError.KERNEL32(?,00000008,004176BA), ref: 0041513F
Part of subcall function 0041513B: SetLastError.KERNEL32(00000000,00000001,00000002,000000FF), ref: 004151E1

EnumSystemLocalesW.KERNEL32(0041E60D,00000001,45F1B473,?,?,0041EE78,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0041E6EB

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 8c2aaa4c0cd0d54cc735e91a7a0ddb58f51471a544283acf310fccb30414098b
Instruction ID: d7e3b5c502124c080ac9a43a58f0728b4bb26e435a168ea3e401fe3e83efba30
Opcode Fuzzy Hash: 8c2aaa4c0cd0d54cc735e91a7a0ddb58f51471a544283acf310fccb30414098b
Instruction Fuzzy Hash: A9F0E53A30025597CB149F3AD8557AABF94EFD1724F87405AEE06CB250C6799883C758

Function 0041465E Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00412A47,?,20001004,00000000,00000002,?,?,00412049), ref: 00414692

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: a79f5b4871ba1c4f54388a69458767bdf475af3fdf68469de367ee09879fad86
Instruction ID: f9bd5592f4a27906ba0b7000611c056f456b6c13901b9127fc06cc884ae94f8f
Opcode Fuzzy Hash: a79f5b4871ba1c4f54388a69458767bdf475af3fdf68469de367ee09879fad86
Instruction Fuzzy Hash: 63E04F31540268BBCF122F61DC04EEE3F19FF85761F064026FC1566261CB7A9D61AA9D

Function 0041EFD8 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0041EFD8

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 960917853a08cbcbaec74a3857df259023f2eba71cc87e2cdee0c8228e0b7f47
Instruction ID: d5d072ba9748c195f736b78e16f2f5f2af1f06de213b616d404cea10f9c51eb0
Opcode Fuzzy Hash: 960917853a08cbcbaec74a3857df259023f2eba71cc87e2cdee0c8228e0b7f47
Instruction Fuzzy Hash: 01A02230300280CF83808F32AE0CB0C3FF8AE082E0B0AC03AA000C80B0EF3080A0AF08

Function 00404B20 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404B4C
std::_Lockit::_Lockit.LIBCPMT ref: 00404B69
std::_Lockit::~_Lockit.LIBCPMT ref: 00404B8D
std::_Lockit::~_Lockit.LIBCPMT ref: 00404BB8
std::_Lockit::_Lockit.LIBCPMT ref: 00404C2A
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00404C7F
__Getctype.LIBCPMT ref: 00404C96
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00404CD6
std::_Lockit::~_Lockit.LIBCPMT ref: 00404D78
std::_Facet_Register.LIBCPMT ref: 00404D7E

Strings

bad locale name, xrefs: 00404D98

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_GetctypeLocinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 103145292-1405518554
Opcode ID: c0c875cd123add666a1ba57ec1f0c94ac2efaa9798bd961d6f12d2679ec0601c
Instruction ID: c45789c66640c356b2bc41b45c406846e681c44b1f4b151baf81fb86c109fe15
Opcode Fuzzy Hash: c0c875cd123add666a1ba57ec1f0c94ac2efaa9798bd961d6f12d2679ec0601c
Instruction Fuzzy Hash: 7B619FB19043408BD720DF65D941B5BB7F4AFD4304F05493EE989A7392E738E948CB5A

Function 004733D1 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 004734F0
___TypeMatch.LIBVCRUNTIME ref: 004735FE
CatchIt.LIBVCRUNTIME ref: 0047364F
_UnwindNestedFrames.LIBCMT ref: 00473750
CallUnexpected.LIBVCRUNTIME ref: 0047376B

Strings

a1G, xrefs: 0047359D, 0047362F, 0047363B
csm, xrefs: 00473527
csm, xrefs: 0047340E
csm, xrefs: 0047347B

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: a1G$csm$csm$csm
API String ID: 4119006552-1343112552
Opcode ID: 61add1d82a8b49bbe98863df3842cc44d0a8a0ab5c16107d25c9e27057ba6224
Instruction ID: a28b46fc38cf5603492c807f6a383a2444a5c3732a9afe71bac9ed9c452f78cc
Opcode Fuzzy Hash: 61add1d82a8b49bbe98863df3842cc44d0a8a0ab5c16107d25c9e27057ba6224
Instruction Fuzzy Hash: 15B17CB1800209EFCF29DFA5D9819EEB7B5BF04316F10815BE8086B311D739DA51DB9A

Function 0040A998 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 0040AAB7
___TypeMatch.LIBVCRUNTIME ref: 0040ABC5
_UnwindNestedFrames.LIBCMT ref: 0040AD17
CallUnexpected.LIBVCRUNTIME ref: 0040AD32

Strings

csm, xrefs: 0040AA42
csm, xrefs: 0040A9D5
hqB, xrefs: 0040AAAE
csm, xrefs: 0040AAEE

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm$hqB
API String ID: 2751267872-961717235
Opcode ID: e36ee884f164e9add2727880ca9071425b34f9d54382f0fd290b92e68b7c122e
Instruction ID: 1a84720c735a061b690d6f447b3278b908e1dcb1436106e9bb87ee9a1a6810cd
Opcode Fuzzy Hash: e36ee884f164e9add2727880ca9071425b34f9d54382f0fd290b92e68b7c122e
Instruction Fuzzy Hash: 2DB18A718003099FDF14DFA5C9809AEBBB5FF14304B19456BE8017B282C739DA61CF9A

Function 00422D42 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,0042485F), ref: 00422D5B

Strings

acos, xrefs: 00422E91
exp, xrefs: 00422DDA, 00422E3F
sqrt, xrefs: 00422E9A
log10, xrefs: 00422D9D, 00422DAC
asin, xrefs: 00422E88
log, xrefs: 00422DB8, 00422DC7
pow, xrefs: 00422DF9, 00422EA3, 00422EF0

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 99bc9cc3bdd9136b520063792197f245364da15bbda7aca5a31b7bed04557963
Instruction ID: 541d14d2076966b173cd57405107be29c5c83d47e8039af315078564b0fddfcc
Opcode Fuzzy Hash: 99bc9cc3bdd9136b520063792197f245364da15bbda7aca5a31b7bed04557963
Instruction Fuzzy Hash: 76514371B0062AEBCB108F59FA4C1AEBBB0FB45304F924057D480A6354CBBD8925EB5E

Function 00405A29 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00405A30
std::_Lockit::_Lockit.LIBCPMT ref: 00405A3A

Part of subcall function 00401980: std::_Lockit::_Lockit.LIBCPMT ref: 0040199C
Part of subcall function 00401980: std::_Lockit::~_Lockit.LIBCPMT ref: 004019B9

codecvt.LIBCPMT ref: 00405A74
std::_Facet_Register.LIBCPMT ref: 00405A8B
std::_Lockit::~_Lockit.LIBCPMT ref: 00405AAB
__EH_prolog3.LIBCMT ref: 00405AC5

Strings

pdB, xrefs: 00405B01
A]@, xrefs: 00405AEB

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: std::_$Lockit$H_prolog3Lockit::_Lockit::~_$Facet_Registercodecvt
String ID: A]@$pdB
API String ID: 2149013928-1964063989
Opcode ID: 48a836b95ea0a2a7942309d70e795f41733f6e8201952988750b77b38025a74f
Instruction ID: 869559141b16ddd60639a7327273d1e33329aff20660fcaf6a9c65af963ad09c
Opcode Fuzzy Hash: 48a836b95ea0a2a7942309d70e795f41733f6e8201952988750b77b38025a74f
Instruction Fuzzy Hash: E5318174A00615CFCB11EF68C480AAEBBF0FF48354F54452EE445AB392DB79AA00CF99

Function 0040718A Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00407190
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 0040719E
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 004071AF
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 004071C0

Strings

kernel32.dll, xrefs: 0040718B
GetCurrentPackageId, xrefs: 00407198
GetTempPath2W, xrefs: 004071B5
GetSystemTimePreciseAsFileTime, xrefs: 004071A4

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: 12cc8ab004fe47f31fffcbf58e36badd15f6e56e2ad587471c9b10d870eb8305
Instruction ID: 3afd18a413fbafaec0d1884410ec314f69904bb85606d66d63126fe90f125993
Opcode Fuzzy Hash: 12cc8ab004fe47f31fffcbf58e36badd15f6e56e2ad587471c9b10d870eb8305
Instruction Fuzzy Hash: 3CE0EC71749671AB83209F70BC0EDAA3AA4EE0971139205B2BD15D2361D6BC44559B9C

Function 00424323 Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(013F68B8,013F68B8,?,7FFFFFFF,?,004245F3,013F68B8,013F68B8,?,013F68B8,?,?,?,?,013F68B8,?), ref: 004243C9
__alloca_probe_16.LIBCMT ref: 00424484
__alloca_probe_16.LIBCMT ref: 00424513
__freea.LIBCMT ref: 0042455E
__freea.LIBCMT ref: 00424564
__freea.LIBCMT ref: 0042459A
__freea.LIBCMT ref: 004245A0
__freea.LIBCMT ref: 004245B0

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 8a56644c9f658ced4a7fecf9f58cf2b799a0c4498a4b3962048a55bd8390d3ba
Instruction ID: b3b1fd3be87dc675253da9249cad55eb0a70a834b65d1a532299ad71412a1fff
Opcode Fuzzy Hash: 8a56644c9f658ced4a7fecf9f58cf2b799a0c4498a4b3962048a55bd8390d3ba
Instruction Fuzzy Hash: 24711872B00625ABDF20AE64AC41BAF77B5DFC5314F94005BEA44A7381D73CDC8187A9

Function 0046B0F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0046B127
___except_validate_context_record.LIBVCRUNTIME ref: 0046B12F
_ValidateLocalCookies.LIBCMT ref: 0046B1B8
__IsNonwritableInCurrentImage.LIBCMT ref: 0046B1E3
_ValidateLocalCookies.LIBCMT ref: 0046B238

Strings

csm, xrefs: 0046B1CD

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: c305ccd9bbc286952cf2e560852c576dda5165afd2bf5d7b2144b76c6e36ecfb
Instruction ID: 940c9417cc40852e4bf4a6c1aecc0fa53aaaa578ac64e7cf33b7efd2c1c1eade
Opcode Fuzzy Hash: c305ccd9bbc286952cf2e560852c576dda5165afd2bf5d7b2144b76c6e36ecfb
Instruction Fuzzy Hash: B541B634E00208ABCF10DF69C855A9E7BB5FF46358F14809BE8149B356E739AE41CBD6

Function 00414301 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,D21CAE0E,?,0041440E,004038E3,?,?,00000000), ref: 004143C2

Strings

ext-ms-, xrefs: 0041436C
api-ms-, xrefs: 00414358

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 86759f0994eafd6f84a6647c0fdf9b4e30a2247b6dec6dce197b99e7f52573c2
Instruction ID: 9d281342414512710d521e2bc5e8bd8d189b06f0c9bb1d1e4d3acc3ca9f27be4
Opcode Fuzzy Hash: 86759f0994eafd6f84a6647c0fdf9b4e30a2247b6dec6dce197b99e7f52573c2
Instruction Fuzzy Hash: 9E21F371B41219ABCB219B61AC41F9B77589F817B4F250222ED26A73C0D738ED42C6D8

Function 00422232 Relevance: 9.3, APIs: 6, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34dfbc0b19412f8332e2df089f070eab11bf50ad423d98e1f5d4bef1ead3c863
Instruction ID: 9d2747a7e5b70225cc448f1b3832819408a251e63c6cb1e4317f51345b07cf5e
Opcode Fuzzy Hash: 34dfbc0b19412f8332e2df089f070eab11bf50ad423d98e1f5d4bef1ead3c863
Instruction Fuzzy Hash: B9B1E870B00215BFDB11DF59D980BAE7BB1BF45304F94816AE401AB392C7B99D42CB69

Function 0040A62A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0040A621,00408D5A,00407CB3), ref: 0040A638
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040A646
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040A65F
SetLastError.KERNEL32(00000000,0040A621,00408D5A,00407CB3), ref: 0040A6B1

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: f63bbb8cb7aec36dee6161e5b527cb909134a011cd361eeab7ab36a7405b742e
Instruction ID: 78011c5e5d228000ed262031febe4d72c2c7c60d5ad4d387ad9a5ce747099190
Opcode Fuzzy Hash: f63bbb8cb7aec36dee6161e5b527cb909134a011cd361eeab7ab36a7405b742e
Instruction Fuzzy Hash: 530128332093112ED62427B6BD45A5B2678DB51774738063FF510722F1EF7E5C11554D

Function 004114C8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,D21CAE0E,?,?,00000000,0042534E,000000FF,?,00411458,?,?,0041142C,00000016), ref: 004114FD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0041150F
FreeLibrary.KERNEL32(00000000,?,00000000,0042534E,000000FF,?,00411458,?,?,0041142C,00000016), ref: 00411531

Strings

mscoree.dll, xrefs: 004114F6
CorExitProcess, xrefs: 00411507

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 5db7edf03dd5c6a86733f78c3fc37fecd77a691f09511d684ccae05772ab5e40
Instruction ID: 91ec29eb5be505712193f20e889ba6035279a869843729da5c2c1c8d1a6e38dc
Opcode Fuzzy Hash: 5db7edf03dd5c6a86733f78c3fc37fecd77a691f09511d684ccae05772ab5e40
Instruction Fuzzy Hash: 5E018431A50625EBDB218F50DC09BAEB7F9FB44B11F400526F912A22A0DB789900CA58

Function 00474C06 Relevance: 7.7, APIs: 5, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00474E41
__freea.LIBCMT ref: 00474E47
__freea.LIBCMT ref: 00474E7D
__freea.LIBCMT ref: 00474E83
__freea.LIBCMT ref: 00474E93

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: __freea
String ID:
API String ID: 240046367-0
Opcode ID: cdcbcc60aef3dea4c42182cfae44f21ec57a8e32961994848cfad513f99bfe33
Instruction ID: 0b6c127ad9ed111e431f7682955dae446cf598e264c00aecf9b57227b9bfeac5
Opcode Fuzzy Hash: cdcbcc60aef3dea4c42182cfae44f21ec57a8e32961994848cfad513f99bfe33
Instruction Fuzzy Hash: 5071E472900219ABDF219FA49C41BFF77A9AF85324F19801BE95CA7381E73DDD00875A

Function 0045D180 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 140COMMON

Download Yara Rule

Strings

]SV8, xrefs: 0045D1D7
]SV8, xrefs: 0045D2FE
]SV8, xrefs: 0045D22D

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID:
String ID: ]SV8$]SV8$]SV8
API String ID: 0-2784291062
Opcode ID: a7659e4f9b5e91b0d31534feffa74e5d3bc75fee4f2ca03bb7ab6903e1c3bfb2
Instruction ID: c078fcb515b4899af3b9e2515bb90b40aebde19b0008bf40714ec7e89c7ad428
Opcode Fuzzy Hash: a7659e4f9b5e91b0d31534feffa74e5d3bc75fee4f2ca03bb7ab6903e1c3bfb2
Instruction Fuzzy Hash: BA412836F482609B8A305A6C46C15AFA6C04FC6752F5A4557FCE4AB303D128CDCD878B

Function 00401F00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00401F9D

Part of subcall function 00408090: RaiseException.KERNEL32(E06D7363,00000001,00000003,00407FAB,?,?,?,?,00407FAB,0000000C,00432FA4,0000000C), ref: 004080F0

Strings

ios_base::eofbit set, xrefs: 00401F46
ios_base::failbit set, xrefs: 00401E62, 00401F41
ios_base::badbit set, xrefs: 00401F37, 00401F62, 00401F80

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3109751735-1866435925
Opcode ID: 4ead06d7015465d74104fe04bb50a28eb9893de3519d089dfdf398cb4e8224d9
Instruction ID: 39c8128b798e2086e3302e8ab46e2dce8cada1f1b911e2d41b88b79c7a5bec65
Opcode Fuzzy Hash: 4ead06d7015465d74104fe04bb50a28eb9893de3519d089dfdf398cb4e8224d9
Instruction Fuzzy Hash: BD1136B29107156BC710DF68D801B86B3E8AF08310F14853FFA54E7291F778E804CBA9

Function 00407420 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00407DA8
___raise_securityfailure.LIBCMT ref: 00407E90

Strings

@SC, xrefs: 00407E8B
#7@, xrefs: 00407E13

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: #7@$@SC
API String ID: 3761405300-54278199
Opcode ID: be0408e9841c2604ed6c70be4b6810e12912a1b256ed321422f905974070e74f
Instruction ID: 0d92a2c854cdd6e88b4d1eeb56e5bf4da0bfe8ec24aca00867b110679a0b03e4
Opcode Fuzzy Hash: be0408e9841c2604ed6c70be4b6810e12912a1b256ed321422f905974070e74f
Instruction Fuzzy Hash: DA2107B4640A00DBD318CF15F9857943BF4BB68355FA0643AE9088B3B1D3B46485CF1E

Function 0040B772 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,0040B723,00000000,00000001,0043568C,?,?,?,0040B8C6,00000004,InitializeCriticalSectionEx,00427C38,InitializeCriticalSectionEx), ref: 0040B77F
GetLastError.KERNEL32(?,0040B723,00000000,00000001,0043568C,?,?,?,0040B8C6,00000004,InitializeCriticalSectionEx,00427C38,InitializeCriticalSectionEx,00000000,?,0040B67D), ref: 0040B789
LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,0040A593), ref: 0040B7B1

Strings

api-ms-, xrefs: 0040B796

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 22226141dfb546a2f16a4bc61347b62053759e468ff986d8c484c8ccf3c75455
Instruction ID: 4a96934300341e5ece3864587fe3feae18b3ac400cb1fe2ce3454729e361f76d
Opcode Fuzzy Hash: 22226141dfb546a2f16a4bc61347b62053759e468ff986d8c484c8ccf3c75455
Instruction Fuzzy Hash: 29E01A30384208BBEF205B61EC06F5A3E64EB40B85F904031FB0DE91E1E775A9519ACC

Function 004164C2 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(D21CAE0E,00000000,00000000,0040BDB8), ref: 00416525

Part of subcall function 0041B08B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00419056,?,00000000,-00000008), ref: 0041B137

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00416780
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 004167C8
GetLastError.KERNEL32 ref: 0041686B

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 82cd919ffc66cdbec26423ec8f462efebf3297e9721ada9a3fb481d80f0d1854
Instruction ID: 1bb8143dd65314e62236f50c93da9e0a6d801424c5e2e01ca8c3ea5794d6433d
Opcode Fuzzy Hash: 82cd919ffc66cdbec26423ec8f462efebf3297e9721ada9a3fb481d80f0d1854
Instruction Fuzzy Hash: 7DD158B5E002589FCB11DFA9D880AEDBBB5FF48304F19412AE856E7351D734E882CB58

Function 004731FA Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 004732C1
___AdjustPointer.LIBCMT ref: 004732E4
___AdjustPointer.LIBCMT ref: 00473380

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 61b0a85a798229474a3d58b2d00538af11b73fcdc75d5a3bd8cbc525c0de48c8
Instruction ID: 88186ad021ec57b61116c6af33a8bb2b40c855ac1751415c937e6f67bf3ce852
Opcode Fuzzy Hash: 61b0a85a798229474a3d58b2d00538af11b73fcdc75d5a3bd8cbc525c0de48c8
Instruction Fuzzy Hash: 0451F3726042069FDB348F15D841BEB73A4EF40706F14C42FEC0A96291EB39EE41EB99

Function 0040A741 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0040A808
___AdjustPointer.LIBCMT ref: 0040A82B
___AdjustPointer.LIBCMT ref: 0040A8C7

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 651f461737145a99faeddf7e9cbc434de1019a0abfbd738a44b85bf0bb0bacfa
Instruction ID: 639cff4bd66d4eed68713a8ae307c2d2d1180f9e9004782a502f2a6fa8fea26a
Opcode Fuzzy Hash: 651f461737145a99faeddf7e9cbc434de1019a0abfbd738a44b85bf0bb0bacfa
Instruction Fuzzy Hash: 3D51CF72A00302AFEB29AF52C941B7A73A4EF40304F14853FE805672D1D739EC62C79A

Function 0041B4A7 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 0041B08B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00419056,?,00000000,-00000008), ref: 0041B137

GetLastError.KERNEL32 ref: 0041B50B
__dosmaperr.LIBCMT ref: 0041B512
GetLastError.KERNEL32(?,?,?,?), ref: 0041B54C
__dosmaperr.LIBCMT ref: 0041B553

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 98539fc020fd00bd43affe0888965e6ed426553bce3dc314c44ab490fe6ade4c
Instruction ID: cec987ca27f54d0df3a57789ab5f391b1316bc0051da666ab1eca3c5aeea150a
Opcode Fuzzy Hash: 98539fc020fd00bd43affe0888965e6ed426553bce3dc314c44ab490fe6ade4c
Instruction Fuzzy Hash: 3221B671600215BFDB20EF66C8418ABB7ADFF043A8710852FF85997251D779ED9087D4

Function 004108A2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e116e2024aada6cab71803717b56169a7abbe351efb3759331a0be8796517d
Instruction ID: f8db4804455f599fb5fabd8b5f86bcd1d132503182311fbe19c9dedc91394c0d
Opcode Fuzzy Hash: 66e116e2024aada6cab71803717b56169a7abbe351efb3759331a0be8796517d
Instruction Fuzzy Hash: 8F21F9B1610205AFEB20AF62CC90DAB776CFF40368710452BF415D7252D7B9EDD097A8

Function 0041C43D Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0041C445

Part of subcall function 0041B08B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00419056,?,00000000,-00000008), ref: 0041B137

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041C47D
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041C49D

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 4d096bac32b07df6f96bbfc29f435c2dddc1c3056e5e13fb52e26ce166ed4541
Instruction ID: cd346ceb72f841712861b774b6322b7d2f9c84398f992d5f92ec2fcb375f728e
Opcode Fuzzy Hash: 4d096bac32b07df6f96bbfc29f435c2dddc1c3056e5e13fb52e26ce166ed4541
Instruction Fuzzy Hash: 091104B2A48515BF672127B25CDACFF6D5CDE99398310402AF802D2102EE2CDD8285BD

Function 0046D087 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0046D0A3
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0046D0BC

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: Value___vcrt_
String ID:
API String ID: 1426506684-0
Opcode ID: 0b964deb5bc0f9eb0949004cf179f531b439debfe54ef7e017f8e2c4d4a7f34a
Instruction ID: a66e256623c1caf6648b614fb1e019d0168fdbe57a0287e12e4473dbbc28e91a
Opcode Fuzzy Hash: 0b964deb5bc0f9eb0949004cf179f531b439debfe54ef7e017f8e2c4d4a7f34a
Instruction Fuzzy Hash: 23012436F092215EA67477B9BC868AB2A94DB533BC721023FF424851F2FF590C02518E

Function 004241E7 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00421C44,00000000,00000001,00000000,0040BDB8,?,004168BF,0040BDB8,00000000,00000000), ref: 004241FE
GetLastError.KERNEL32(?,00421C44,00000000,00000001,00000000,0040BDB8,?,004168BF,0040BDB8,00000000,00000000,0040BDB8,0040BDB8,?,00416E7D,?), ref: 0042420A

Part of subcall function 004241D0: CloseHandle.KERNEL32(FFFFFFFE,0042421A,?,00421C44,00000000,00000001,00000000,0040BDB8,?,004168BF,0040BDB8,00000000,00000000,0040BDB8,0040BDB8), ref: 004241E0

___initconout.LIBCMT ref: 0042421A

Part of subcall function 00424192: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004241C1,00421C31,0040BDB8,?,004168BF,0040BDB8,00000000,00000000,0040BDB8), ref: 004241A5

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,00421C44,00000000,00000001,00000000,0040BDB8,?,004168BF,0040BDB8,00000000,00000000,0040BDB8), ref: 0042422F

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: ca09305258c16a54d0dcba451752d25af7c96ee1953d8ec0ee725fe34d53713b
Instruction ID: 4f4531f6176a0c5b6c9a7a905856594723a902087f3f8d784f297790ae8fc46e
Opcode Fuzzy Hash: ca09305258c16a54d0dcba451752d25af7c96ee1953d8ec0ee725fe34d53713b
Instruction Fuzzy Hash: C1F03736200124BBCF222FD5FC0899A7F26FB853B0F414065FA5995130C6319870AB99

Function 00401E50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00401F9D

Part of subcall function 00408090: RaiseException.KERNEL32(E06D7363,00000001,00000003,00407FAB,?,?,?,?,00407FAB,0000000C,00432FA4,0000000C), ref: 004080F0

Strings

ios_base::failbit set, xrefs: 00401E62
ios_base::badbit set, xrefs: 00401F37, 00401F62, 00401F80

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 3109751735-1240500531
Opcode ID: 195284d85085cfcb6c91532f94d9606232df54a46d20a557ea02a48c59055347
Instruction ID: 797d091bbb829d4e8b0eea89e00af225cce609620468ab5527f299f1bcc47ce9
Opcode Fuzzy Hash: 195284d85085cfcb6c91532f94d9606232df54a46d20a557ea02a48c59055347
Instruction Fuzzy Hash: 2D414771504301AFC304DF29C841A9BB7E8EF89310F14862FF994A76A1E778E945CB99

Function 0040A430 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0040A46F
__IsNonwritableInCurrentImage.LIBCMT ref: 0040A523

Strings

csm, xrefs: 0040A50D

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: ca5a29bd391d885cd4634227e419514380eff920c463d90092caad24f93c2f58
Instruction ID: 2e999a1580a82348229a279466bd0bfc2513c0ac70a5a2249b741fcd72562a23
Opcode Fuzzy Hash: ca5a29bd391d885cd4634227e419514380eff920c463d90092caad24f93c2f58
Instruction Fuzzy Hash: 2741C834A00318ABCF10DF69C844A9E7BB0FF45314F1481A6E8146B3D2D779E961CB9A

Function 004737F6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

CatchIt.LIBVCRUNTIME ref: 00473901

Strings

RCC, xrefs: 00473835
MOC, xrefs: 0047382D

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: Catch
String ID: MOC$RCC
API String ID: 78271584-2084237596
Opcode ID: c452d5c3f3f221536ef9a893cfaa3ef082ce815aa9c93d6fabe76d6caf33207f
Instruction ID: f174ec0e010e1d1de7f9ea624993fdd633e91969efc10b4a5d06650140e86333
Opcode Fuzzy Hash: c452d5c3f3f221536ef9a893cfaa3ef082ce815aa9c93d6fabe76d6caf33207f
Instruction Fuzzy Hash: EB419CB1900209EFCF15DF98CD81AEE7BB5FF08305F15805AFA1867212D3399A50EB59

Function 0040AD3D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 0040AD62

Strings

MOC, xrefs: 0040AD74
RCC, xrefs: 0040AD7C

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 5b710ab2a9f474c2cc4afd51bace25907f511bb75432380764933eab186ad071
Instruction ID: a4c454b0bcb5eef0a2e58a0d06434270c6490fd8828ce8058ef1224e804d7477
Opcode Fuzzy Hash: 5b710ab2a9f474c2cc4afd51bace25907f511bb75432380764933eab186ad071
Instruction Fuzzy Hash: 4C416E71900209AFCF15DFA4CD81AEEBBB5FF48304F19846AF904B7291D3399960DB95

Function 0047306A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00473073

Strings

csm, xrefs: 00473095
csm, xrefs: 00473106

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 44675b29e8fa3ac8f13c8b9784cc4bae4abb1d5bb277cf09629fa23430680501
Instruction ID: f72b3ba46393463c9c14d0a7e452edce33b5274e5d9a8b081945a01ab6f0d09c
Opcode Fuzzy Hash: 44675b29e8fa3ac8f13c8b9784cc4bae4abb1d5bb277cf09629fa23430680501
Instruction Fuzzy Hash: 1131B231500255EBCF229F94CC448EB7B66FF0971AB58C19BF85849211C73BDE61EB86

Function 00407EA3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00407EAE
___raise_securityfailure.LIBCMT ref: 00407F6B

Strings

@SC, xrefs: 00407F66

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: @SC
API String ID: 3761405300-4053289583
Opcode ID: ee42222a1a21f84a104741ef492a216a118de1db3b1281724e16a62be68f0859
Instruction ID: 10e33e2e5eb9a3d5286ccbecc20551b6eaee076d59bf9c7ce06d7c1cd455d27c
Opcode Fuzzy Hash: ee42222a1a21f84a104741ef492a216a118de1db3b1281724e16a62be68f0859
Instruction Fuzzy Hash: 2D11E3B4651A04DBD318CF15F8817883BA4BB28346B50B03AE8088B371E3B09595CF5E

Function 00401870 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00401875
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004018BA

Part of subcall function 004058AA: _Yarn.LIBCPMT ref: 004058C9
Part of subcall function 004058AA: _Yarn.LIBCPMT ref: 004058ED

Strings

bad locale name, xrefs: 004018C8

Memory Dump Source

Source File: 00000003.00000002.2112248273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_h3VYJaQqI9.jbxd

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: 72551ae77e736be2171b1fcc8d603e91bdd62b17c33b334120392a8c0c99013b
Instruction ID: 698a41e2f8890499ec269fe88a942146f7bab7e11b1414401b60b7a9d3f26e65
Opcode Fuzzy Hash: 72551ae77e736be2171b1fcc8d603e91bdd62b17c33b334120392a8c0c99013b
Instruction Fuzzy Hash: 90F01D71515B408ED370DF3A8404743BEE0AF29714F048E2EE4CAD7A92E379E508CBA9

Analysis Process: p1NyAJLgZS.exePID: 5876, Parent PID: 4560COMMON

Executed Functions

Function 00007FFD347805A5 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4717319308.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34780000_p1NyAJLgZS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 583d35ca1ec8470dd05f600ec695d787dacd1c7e6a1f02121ed6bc0b07175bc4
Instruction ID: 52d15445ef32fa985107c17dd80aa812e855713b7b5573f2a4129da8c5a258ed
Opcode Fuzzy Hash: 583d35ca1ec8470dd05f600ec695d787dacd1c7e6a1f02121ed6bc0b07175bc4
Instruction Fuzzy Hash: 770175B1D5938ACEE780AB7441BB2FD7AA0AF03305F4158B5D108E2083D93C3654D6D0

Function 00007FFD3478118A Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4717319308.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34780000_p1NyAJLgZS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b50ec72035bed1689f94da6340beb2ea670d0a724a3b28160b85a22c4082bff
Instruction ID: 48e02620ea6f933fcbf95f4eeb65048e6618dc8a677c1d64f669f86e1d8a1ecc
Opcode Fuzzy Hash: 8b50ec72035bed1689f94da6340beb2ea670d0a724a3b28160b85a22c4082bff
Instruction Fuzzy Hash: A1215371F0991D8FEB94DB98D4919BDB7B1EF95341F400179E10DE7192CE39A841C740

Function 00007FFD3478107D Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4717319308.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34780000_p1NyAJLgZS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd159e4fcf7db5064f6ddd1af306ffe8b03f58472b762d9c5f7abfad7685c34
Instruction ID: 22b0dd4fa2a66a2ee92316f74c02e4a95fe74dcfa550e99e695a12cb9b5e6c8a
Opcode Fuzzy Hash: 0bd159e4fcf7db5064f6ddd1af306ffe8b03f58472b762d9c5f7abfad7685c34
Instruction Fuzzy Hash: 271148B0D192598AEB84EB54C8A56FDB7B1EF5A312F001439D109B22D2DA7C6608DBA1

Function 00007FFD347812C1 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4717319308.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34780000_p1NyAJLgZS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ddc57c63dedf2efad6629fb8289fff644f5ce0e1a7118d5284dca8a08d8776
Instruction ID: 4fccc58e382bbf2c14412958673deec90707c6edcd2293df40cb8ded2b0f5e83
Opcode Fuzzy Hash: 17ddc57c63dedf2efad6629fb8289fff644f5ce0e1a7118d5284dca8a08d8776
Instruction Fuzzy Hash: 4F016D7191864E8FEB80EF68C859AEEBBF0FF15300F4149A7D408D6152EB38A654CB81

Function 00007FFD3478056D Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4717319308.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34780000_p1NyAJLgZS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79e99b0ac4d62dc88161b9bcc9eaedbdaca7d4fcc976718386f7a9b13131ef6a
Instruction ID: 9832b1c3a499cb8017ca0a18820896308ec7422a5ad1ec4b9d07ec1f36aa2d1e
Opcode Fuzzy Hash: 79e99b0ac4d62dc88161b9bcc9eaedbdaca7d4fcc976718386f7a9b13131ef6a
Instruction Fuzzy Hash: B4F04F70A18A4E8FEB80EFA8C859AEEB7B0FF15305F004976E418D2151DB34A550CB81

Function 00007FFD34780C31 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4717319308.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34780000_p1NyAJLgZS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f157da19d715e0f2c5f34a498a35a45e1ceb55b9f947e7b26dfdc2296a8a7657
Instruction ID: 0bf7b6eac74d90665b955623cac77d4dee6a5b43937230141c10c73a2bdc1a77
Opcode Fuzzy Hash: f157da19d715e0f2c5f34a498a35a45e1ceb55b9f947e7b26dfdc2296a8a7657
Instruction Fuzzy Hash: D8F0FA3290C2C98FE3829B6088243E63BF1EB52301F0442B6D148DA1D2CA2C6614C782

Function 00007FFD34780BEA Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4717319308.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34780000_p1NyAJLgZS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e365ddf461e5c2c4f306af244d840a1eb368e8abb0b6ce1ee5f67c6fa17ff56
Instruction ID: 51e72913d4f5eb875dfdb5e665615cd55c2c394fa97c07066a0101b08d5879c3
Opcode Fuzzy Hash: 2e365ddf461e5c2c4f306af244d840a1eb368e8abb0b6ce1ee5f67c6fa17ff56
Instruction Fuzzy Hash: 9AF03071E051198FDF88DF94E4A16FDB7B1FF99321F040039D00AE3180CA386944CB61

Function 00007FFD34780FF2 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4717319308.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34780000_p1NyAJLgZS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6b818de180c83641465eedb32e6949411b7a54510565f50e7588aee2154e403
Instruction ID: 6be40f5d64cc5dee3a2a75243f3492b555c1d28ab52cd1d9d071458712ad57f7
Opcode Fuzzy Hash: c6b818de180c83641465eedb32e6949411b7a54510565f50e7588aee2154e403
Instruction Fuzzy Hash: 49E09A70E0060DCFDB84DB64D4925BEB771FF86205F50057DD119E7A91CB36A541CB80

Function 00007FFD34780C8F Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4717319308.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34780000_p1NyAJLgZS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f399e291cb8ef97703f84bb645e38b681a455a984b538eeb4e293a7eb183a47e
Instruction ID: 5266df7ae4da171f4611ea9995f16f6b27e0f9489776abef123d0ce51d00a153
Opcode Fuzzy Hash: f399e291cb8ef97703f84bb645e38b681a455a984b538eeb4e293a7eb183a47e
Instruction Fuzzy Hash: D3E09A30A1881E8FDB94FB98C4A5AAD7BF1FF58302F400065D109E7261CA24A8408B51

Function 00007FFD34780E1A Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4717319308.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34780000_p1NyAJLgZS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45a97fef6b46cc7858e6da438e9c1acb58895bc349ac75d3d5fd0e5324433ecd
Instruction ID: 0e54d42a81d18d95f29c57472049a6204768d655bd1b55f7d3845947323c4140
Opcode Fuzzy Hash: 45a97fef6b46cc7858e6da438e9c1acb58895bc349ac75d3d5fd0e5324433ecd
Instruction Fuzzy Hash: E5D05232F0080C8AEF40EB98D4518EEB3B0EF88206F000076C008E3061CE2429508B50

Analysis Process: nRIsFYood8.exePID: 6320, Parent PID: 4560COMMON

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1578
Total number of Limit Nodes:	7

Executed Functions

Function 008FA150 Relevance: 77.1, APIs: 27, Strings: 16, Instructions: 1873COMMON

Download Yara Rule

Strings

Window, xrefs: 008FB743, 008FBD7D, 008FBE40, 008FBEA4
=C;R, xrefs: 008FB479
+)J], xrefs: 008FB215
[0(, xrefs: 008FA3C3
\0(, xrefs: 008FB6F6
=C;R, xrefs: 008FADB6
dj<, xrefs: 008FB1AE
<C;R, xrefs: 008FA425
\0(, xrefs: 008FBEBE
\0(, xrefs: 008FBED1
\0(, xrefs: 008FAD88
dj<, xrefs: 008FAB3F
+)J], xrefs: 008FB118
dj<, xrefs: 008FABD8
+)J], xrefs: 008FB6E1
+)J], xrefs: 008FB6CE

Memory Dump Source

Source File: 00000005.00000002.2118421809.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000005.00000002.2118343678.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118502961.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118524362.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118611121.0000000000929000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118656748.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118689971.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118806671.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID:
String ID: +)J]$+)J]$+)J]$+)J]$<C;R$=C;R$=C;R$Window$[0($\0($\0($\0($\0($dj<$dj<$dj<
API String ID: 0-47159879
Opcode ID: 888f29d2a888b1fd1d8eeaba401b98af01ffe7311871db6392b261a1508e0ef2
Instruction ID: 33b7cd2da166ba8a1e6e15e13dc902b7090ede495498fdf4c58a88b9a5869c2c
Opcode Fuzzy Hash: 888f29d2a888b1fd1d8eeaba401b98af01ffe7311871db6392b261a1508e0ef2
Instruction Fuzzy Hash: F7E238752156088BCA2C8B34D9E877A77A1FF65330F31424BE717EB6E0CB219D859782

Function 008F9160 Relevance: 65.7, APIs: 20, Strings: 17, Instructions: 932COMMON

Download Yara Rule

Strings

Hello!, xrefs: 008F9703, 008F983E, 008F9A41, 008F9FE1
|2qZ, xrefs: 008F9251
onK2, xrefs: 008F9E3B
zTJ, xrefs: 008F9598
xW&, xrefs: 008F99D0
}2qZ, xrefs: 008F91E2
A, xrefs: 008F9489
A, xrefs: 008F9495
}2qZ, xrefs: 008F9893
zTJ, xrefs: 008F95AA
onK2, xrefs: 008F9350
}2qZ, xrefs: 008F97BF
zTJ, xrefs: 008F97B0
xW&, xrefs: 008F9797
zTJ, xrefs: 008F9541
A, xrefs: 008F9E21
A, xrefs: 008F9CC6

Memory Dump Source

Source File: 00000005.00000002.2118421809.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000005.00000002.2118343678.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118502961.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118524362.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118611121.0000000000929000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118656748.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118689971.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118806671.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID:
String ID: Hello!$onK2$onK2$xW&$xW&$|2qZ$}2qZ$}2qZ$}2qZ$zTJ$zTJ$zTJ$zTJ$A$A$A$A
API String ID: 0-1580651315
Opcode ID: 7cf17b8c79d49a1f60afb7eff8b1ee86d7b14e0e0dbbc1157fea8a492d8620de
Instruction ID: b315353eec9c943978bbe509a0a0a9ef3710dd526989a0bfe2035538e018c40b
Opcode Fuzzy Hash: 7cf17b8c79d49a1f60afb7eff8b1ee86d7b14e0e0dbbc1157fea8a492d8620de
Instruction Fuzzy Hash: 9772F73531920C9B9F2CCB3CA9E867E7396FB58310724511AFA62DB7A0DB358C41DB52

Function 008F6BC7 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 184
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 008F6C2A
CloseHandle.KERNEL32(?), ref: 008F8074

Strings

], xrefs: 008F8CD7
"GG, xrefs: 008F76DE
"GG, xrefs: 008F76C0

Memory Dump Source

Source File: 00000005.00000002.2118421809.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000005.00000002.2118343678.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118502961.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118524362.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118611121.0000000000929000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118656748.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118689971.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118806671.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: "GG$"GG$]
API String ID: 3498533004-4126490356
Opcode ID: 914e40a29c5efb18ef2f8430e81fcf73dca135e70845c04545f0944472c79866
Instruction ID: 728a100aaac8689aec003dd543ed8974aa0ac3de6a305e59dadb3e6fe40cde2c
Opcode Fuzzy Hash: 914e40a29c5efb18ef2f8430e81fcf73dca135e70845c04545f0944472c79866
Instruction Fuzzy Hash: CA51373A61614C8F8F288A384DC467D7392FB98370F348716E725EB7E4EA35CC868641

Non-executed Functions

Function 0091ADAF Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0091AE9F

Memory Dump Source

Source File: 00000005.00000002.2118421809.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000005.00000002.2118343678.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118502961.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118524362.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118611121.0000000000929000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118656748.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118689971.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118806671.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: d128a9f29fa4e9f54ba7c86dd1b07827ae903aeb82d21d7415ee9ead14479552
Instruction ID: 69bb749e5535a9e0e716bfe003dcefe005db3c2891f6f8ed32c9271b355638ee
Opcode Fuzzy Hash: d128a9f29fa4e9f54ba7c86dd1b07827ae903aeb82d21d7415ee9ead14479552
Instruction Fuzzy Hash: 4171D3B1A0A15C6FDF21AF28DC89AFEB7B9AF45300F1441D9E049A7251DB314EC69F11

Function 00915133 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0091513F
IsDebuggerPresent.KERNEL32 ref: 0091520B
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0091522B
UnhandledExceptionFilter.KERNEL32(?), ref: 00915235

Memory Dump Source

Source File: 00000005.00000002.2118421809.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000005.00000002.2118343678.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118502961.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118524362.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118611121.0000000000929000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118656748.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118689971.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118806671.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 2d851cfafec1d5af3cedb0e43198793759e8f743e18e810ec57636c192013de7
Instruction ID: 405377c26a20cdac3beca877ae58b8072a6cdcd5218cf5f03b82fe35da3916ed
Opcode Fuzzy Hash: 2d851cfafec1d5af3cedb0e43198793759e8f743e18e810ec57636c192013de7
Instruction Fuzzy Hash: 32310575E0921CDBDB21DFA4D9897CCBBB8AF48300F1141AAE40CAB250EB719B858F45

Function 0091DB71 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

type_info::operator==.LIBVCRUNTIME ref: 0091DC90
___TypeMatch.LIBVCRUNTIME ref: 0091DD9E
CatchIt.LIBVCRUNTIME ref: 0091DDEF
_UnwindNestedFrames.LIBCMT ref: 0091DEF0
CallUnexpected.LIBVCRUNTIME ref: 0091DF0B

Strings

csm, xrefs: 0091DBAE
csm, xrefs: 0091DC1B
csm, xrefs: 0091DCC7

Memory Dump Source

Source File: 00000005.00000002.2118421809.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000005.00000002.2118343678.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118502961.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118524362.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118611121.0000000000929000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118656748.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118689971.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118806671.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4119006552-393685449
Opcode ID: f00c894115412e922fac3a09641e517f1ebf8db1fa9d39cb9e53e5908315d124
Instruction ID: 1db03e7d7bb43b3315f032b35a2f5359859c92d59704ae2659583fefcdc25ca0
Opcode Fuzzy Hash: f00c894115412e922fac3a09641e517f1ebf8db1fa9d39cb9e53e5908315d124
Instruction Fuzzy Hash: 38B19D71A0220EEFCF19DFA4D881AEEB7B9FF54310F10495AE8116B252C731DA91CB91

Function 00904B90 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 173
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strlen.LIBCMT ref: 00904CE8

Strings

E&S, xrefs: 00904C54
E&S, xrefs: 00904C9C
D&S, xrefs: 00904C82
cN\, xrefs: 00904CA7
cN\, xrefs: 00904C05

Memory Dump Source

Source File: 00000005.00000002.2118421809.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000005.00000002.2118343678.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118502961.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118524362.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118611121.0000000000929000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118656748.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118689971.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118806671.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: _strlen
String ID: D&S$E&S$E&S$cN\$cN\
API String ID: 4218353326-1833663704
Opcode ID: 17df246d836ff0dbe0bf2a2a19855a4bf9de83f63d0dec9238bb0736f80da94d
Instruction ID: 5a71822edb0fafa1dff289fb422408aec4645c22dcbd8379ccbf10c134e3853b
Opcode Fuzzy Hash: 17df246d836ff0dbe0bf2a2a19855a4bf9de83f63d0dec9238bb0736f80da94d
Instruction Fuzzy Hash: 6E51E8B130A2154FDF288D6565E057E76DAABC4344F264C2EF6D6CB3D0E924CC885783

Function 00915890 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ValidateLocalCookies.LIBCMT ref: 009158C7
___except_validate_context_record.LIBVCRUNTIME ref: 009158CF
_ValidateLocalCookies.LIBCMT ref: 00915958
__IsNonwritableInCurrentImage.LIBCMT ref: 00915983
_ValidateLocalCookies.LIBCMT ref: 009159D8

Strings

csm, xrefs: 0091596D

Memory Dump Source

Source File: 00000005.00000002.2118421809.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000005.00000002.2118343678.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118502961.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118524362.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118611121.0000000000929000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118656748.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118689971.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118806671.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: cc8ee639d87e78a4e895ae1c80aa3573d85fd4221d6ffa734068e338f79a76de
Instruction ID: 378921020ce8e2b59e860b863544935abc6a110e750eedfa0644e8b8fee6cc4a
Opcode Fuzzy Hash: cc8ee639d87e78a4e895ae1c80aa3573d85fd4221d6ffa734068e338f79a76de
Instruction Fuzzy Hash: 8441D634B0060DDBCF14DF68C885ADEBBB5BF84324F568095E8185B351D7319A85CB92

Function 00917F65 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00918074,?,16CFE936,00000000,0091492F,?,?,00917E26,00000022,FlsSetValue,00922788,00922790,0091492F), ref: 00918026

Strings

ext-ms-, xrefs: 00917FD0
api-ms-, xrefs: 00917FBC

Memory Dump Source

Source File: 00000005.00000002.2118421809.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000005.00000002.2118343678.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118502961.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118524362.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118611121.0000000000929000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118656748.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118689971.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118806671.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 3851424c17c9fcb6b129e8c959cb62914770ce83ad4f734d063e1003018fbd83
Instruction ID: 402d1f63ede4515caadb7de5179c3f6aafb5d68a9bbb9075a0bcff3fc75c9d22
Opcode Fuzzy Hash: 3851424c17c9fcb6b129e8c959cb62914770ce83ad4f734d063e1003018fbd83
Instruction Fuzzy Hash: B8210832B1D21AABDB319B64AC40ADB776CAF453A0F110510ED06B7290DB71ED42E6D0

Function 0091F3A6 Relevance: 9.2, APIs: 6, Instructions: 248
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32(013452E0,013452E0,00000000,7FFFFFFF,?,0091F391,013452E0,013452E0,00000000,013452E0,?,?,?,?,013452E0,00000000), ref: 0091F44C
__freea.LIBCMT ref: 0091F5E1
__freea.LIBCMT ref: 0091F5E7
__freea.LIBCMT ref: 0091F61D
__freea.LIBCMT ref: 0091F623
__freea.LIBCMT ref: 0091F633

Memory Dump Source

Source File: 00000005.00000002.2118421809.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000005.00000002.2118343678.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118502961.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118524362.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118611121.0000000000929000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118656748.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118689971.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118806671.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: __freea$Info
String ID:
API String ID: 541289543-0
Opcode ID: 133a19b98821debcd80cbf7fd47e76880580780b5cdbb19049803061f077ef7f
Instruction ID: e998e2a8312903ac8dc961d3d3b123ba8b81e6593ed346d4a032f66af9194c13
Opcode Fuzzy Hash: 133a19b98821debcd80cbf7fd47e76880580780b5cdbb19049803061f077ef7f
Instruction Fuzzy Hash: 0871F532B0020E6BDF209EA49C65BFF77BA9F89354F280475F818A7291DA35DCC18761

Function 00917827 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0091781E,0091566F,00915292), ref: 00917835
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00917843
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0091785C
SetLastError.KERNEL32(00000000,0091781E,0091566F,00915292), ref: 009178AE

Memory Dump Source

Source File: 00000005.00000002.2118421809.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000005.00000002.2118343678.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118502961.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118524362.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118611121.0000000000929000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118656748.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118689971.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118806671.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 1549fdec3305cb29127ec751c29082eada64283bdadf9d67a583085e54fedccd
Instruction ID: 58fa2f8efd09fc4d0e8e0c809f23f158d410f32fd47a3e41c003292908d61480
Opcode Fuzzy Hash: 1549fdec3305cb29127ec751c29082eada64283bdadf9d67a583085e54fedccd
Instruction Fuzzy Hash: 2201283231F21AAEAB342AF9ACCAAE7A668DF503783200269F010501E1EF114CC2E154

Function 0091B128 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Users\user\AppData\Roaming\nRIsFYood8.exe, xrefs: 0091B144

Memory Dump Source

Source File: 00000005.00000002.2118421809.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000005.00000002.2118343678.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118502961.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118524362.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118611121.0000000000929000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118656748.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118689971.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118806671.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID:
String ID: C:\Users\user\AppData\Roaming\nRIsFYood8.exe
API String ID: 0-1091416874
Opcode ID: e880eb6c1bebdb3c56cea8c31d3e2b4dd716c0b57038fb340ae4eb2dba3f21fd
Instruction ID: 47e9550c9952c01195f17dc70ffaeb45822c338d6a84af463b82aa0eb69a496c
Opcode Fuzzy Hash: e880eb6c1bebdb3c56cea8c31d3e2b4dd716c0b57038fb340ae4eb2dba3f21fd
Instruction Fuzzy Hash: F021C03130820DBF9F21AF65CDA1AEB7BAEEF813647128915F82597151EB30ED90C760

Function 00916347 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,77F1F30F,?,?,00000000,0092180E,000000FF,?,00916408,?,?,009164A4,00000000), ref: 0091637C
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0091638E
FreeLibrary.KERNEL32(00000000,?,00000000,0092180E,000000FF,?,00916408,?,?,009164A4,00000000), ref: 009163B0

Strings

mscoree.dll, xrefs: 00916375
CorExitProcess, xrefs: 00916386

Memory Dump Source

Source File: 00000005.00000002.2118421809.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000005.00000002.2118343678.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118502961.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118524362.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118611121.0000000000929000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118656748.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118689971.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118806671.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 4b6e00697ba85a126da20fb147a599f5dbc99620546aaade37dba96650a73ba1
Instruction ID: e632f05b548fc80783b875f8023ab761807ed9d9087b55291a8af151dfb2eeb4
Opcode Fuzzy Hash: 4b6e00697ba85a126da20fb147a599f5dbc99620546aaade37dba96650a73ba1
Instruction Fuzzy Hash: B3018B72A68629EFDB218F90DC05FBEBBB8FF44B15F000525F811E22D1DB759941DA90

Function 0091DF96 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,0091DE9C,?,?,00000000,00000000,00000000,?), ref: 0091DFBB
CatchIt.LIBVCRUNTIME ref: 0091E0A1

Strings

MOC, xrefs: 0091DFCD
RCC, xrefs: 0091DFD5

Memory Dump Source

Source File: 00000005.00000002.2118421809.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000005.00000002.2118343678.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118502961.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118524362.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118611121.0000000000929000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118656748.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118689971.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118806671.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: 23c7772cae73dd76bb0ce9f8dc03d6c7da817859a5ec038007c1b35d7a90ce32
Instruction ID: 8b45e1f85e62079cb2d70dc55ffdab6b43a2157b189b85d3aef8776d5365b132
Opcode Fuzzy Hash: 23c7772cae73dd76bb0ce9f8dc03d6c7da817859a5ec038007c1b35d7a90ce32
Instruction Fuzzy Hash: 44415871A0420DEFCF26DF98CD81AEEBBB9BF48300F198499F90567211D37599A0DB50

Function 0091C0C5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,0091C161,00000000,?,00929690,?,?,?,0091C098,00000004,InitializeCriticalSectionEx,009230A0,009230A8), ref: 0091C0D2
GetLastError.KERNEL32(?,0091C161,00000000,?,00929690,?,?,?,0091C098,00000004,InitializeCriticalSectionEx,009230A0,009230A8,00000000,?,00917945), ref: 0091C0DC
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0091C104

Strings

api-ms-, xrefs: 0091C0E9

Memory Dump Source

Source File: 00000005.00000002.2118421809.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000005.00000002.2118343678.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118502961.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118524362.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118611121.0000000000929000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118656748.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118689971.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118806671.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 98701764b25bd95771ef2066169ff08ce1780ec3dce6510234e1d09962358abb
Instruction ID: 83584059b4f88bed4d133e80ae7b06c7a7f36da2880ac96634f807e61c6af257
Opcode Fuzzy Hash: 98701764b25bd95771ef2066169ff08ce1780ec3dce6510234e1d09962358abb
Instruction Fuzzy Hash: ACE012717CD309BAEB206FA1EC06B597F599F01B45F104420F94CA80A3D762E8A1A945

Function 0091CB32 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(77F1F30F,00000000,00000000,?), ref: 0091CB95

Part of subcall function 0091B782: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0091C533,?,00000000,-00000008), ref: 0091B7E3

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0091CDE7
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0091CE2D
GetLastError.KERNEL32 ref: 0091CED0

Memory Dump Source

Source File: 00000005.00000002.2118421809.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000005.00000002.2118343678.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118502961.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118524362.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118611121.0000000000929000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118656748.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118689971.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118806671.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: a085a375234e20d510ed2d986e5954c38e47018f129b84db27852cf96dbaf90b
Instruction ID: cf7c65dbcdd40883301c0db35d46545c9e5ab0a9a7b78f958a75ffde932e0e3b
Opcode Fuzzy Hash: a085a375234e20d510ed2d986e5954c38e47018f129b84db27852cf96dbaf90b
Instruction Fuzzy Hash: 81D16CB5E4425C9FCB15CFA8D880AEDBBB5FF49300F18456AE456EB351D630AD82CB50

Function 0091D99A Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0091DA61
___AdjustPointer.LIBCMT ref: 0091DA84
___AdjustPointer.LIBCMT ref: 0091DB20

Memory Dump Source

Source File: 00000005.00000002.2118421809.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000005.00000002.2118343678.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118502961.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118524362.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118611121.0000000000929000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118656748.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118689971.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118806671.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 10c48e339f6ed08307cfe926e00ac431c7c3807bbb01f195dedbb76889dbe43e
Instruction ID: 5637c0f6ad248a8ff68bf657c65b4cdfbd2301402e58888f1b8731af686f9609
Opcode Fuzzy Hash: 10c48e339f6ed08307cfe926e00ac431c7c3807bbb01f195dedbb76889dbe43e
Instruction Fuzzy Hash: 9251B17270A60EDFEB29DF54D881BEAB7A8EF84310F154529E806472A1E735ECD0C790

Function 0091AB8C Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 0091B782: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0091C533,?,00000000,-00000008), ref: 0091B7E3

GetLastError.KERNEL32(?,?,?,00000000,00000000,?,0091AF32,?,?,?,00000000), ref: 0091ABF0
__dosmaperr.LIBCMT ref: 0091ABF7
GetLastError.KERNEL32(00000000,0091AF32,?,?,00000000,?,?,?,00000000,00000000,?,0091AF32,?,?,?,00000000), ref: 0091AC31
__dosmaperr.LIBCMT ref: 0091AC38

Memory Dump Source

Source File: 00000005.00000002.2118421809.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000005.00000002.2118343678.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118502961.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118524362.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118611121.0000000000929000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118656748.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118689971.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118806671.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 724bd0e4fe017969133ea4b0ec8d17d769f34133284ca5677f52793557385109
Instruction ID: 835fed1fa75384dc543222a64536f783f17d3f7f2d055b1ccc7238dd3e7d7aa4
Opcode Fuzzy Hash: 724bd0e4fe017969133ea4b0ec8d17d769f34133284ca5677f52793557385109
Instruction Fuzzy Hash: 5D21F27130920DAF9B21AF65CC819EBB7ADEF403247108829F86697151D734ECC18B92

Function 0091B87E Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0091B886

Part of subcall function 0091B782: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0091C533,?,00000000,-00000008), ref: 0091B7E3

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0091B8BE
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0091B8DE

Memory Dump Source

Source File: 00000005.00000002.2118421809.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000005.00000002.2118343678.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118502961.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118524362.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118611121.0000000000929000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118656748.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118689971.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118806671.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: e58953e8c3aa42546dbfe3586ac15807d6b1ca64c5b1f9600e7a706c67db30c4
Instruction ID: ac3167958e9210d7a08e1352239e4cf2a69401b013038035e7505c4d8b2d5d66
Opcode Fuzzy Hash: e58953e8c3aa42546dbfe3586ac15807d6b1ca64c5b1f9600e7a706c67db30c4
Instruction Fuzzy Hash: 661126B171910D7E67212BB29C8ADFFB99EDEC63A87100424F902D1102EB34DE925270

Function 0091F830 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,0091F042,00000000,00000001,00000000,?,?,0091CF24,?,00000000,00000000), ref: 0091F847
GetLastError.KERNEL32(?,0091F042,00000000,00000001,00000000,?,?,0091CF24,?,00000000,00000000,?,?,?,0091C86A,00000000), ref: 0091F853

Part of subcall function 0091F8A4: CloseHandle.KERNEL32(FFFFFFFE,0091F863,?,0091F042,00000000,00000001,00000000,?,?,0091CF24,?,00000000,00000000,?,?), ref: 0091F8B4

___initconout.LIBCMT ref: 0091F863

Part of subcall function 0091F885: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0091F821,0091F02F,?,?,0091CF24,?,00000000,00000000,?), ref: 0091F898

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,0091F042,00000000,00000001,00000000,?,?,0091CF24,?,00000000,00000000,?), ref: 0091F878

Memory Dump Source

Source File: 00000005.00000002.2118421809.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000005.00000002.2118343678.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118502961.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118524362.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118611121.0000000000929000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118656748.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118689971.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118806671.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: b464bcd43e4fc20987545c16773556808d84de9d14a0438c6b7cf81cb4ff7a52
Instruction ID: 794cbbfe42dab999e2a641ba4332f8ee5d7743c8aabe73e7604346e8d73413fe
Opcode Fuzzy Hash: b464bcd43e4fc20987545c16773556808d84de9d14a0438c6b7cf81cb4ff7a52
Instruction Fuzzy Hash: 05F0C93661911DBBCF322FD5DC19ADA7F66FF483A1B0540A0FE1D96130DA328861EB91

Function 008F67BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 008F6809
CloseHandle.KERNEL32(?), ref: 008F7CB2

Strings

Lb, xrefs: 008F7C9A

Memory Dump Source

Source File: 00000005.00000002.2118421809.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000005.00000002.2118343678.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118502961.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118524362.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118611121.0000000000929000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118656748.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118689971.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118806671.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: CloseFileHandleRead
String ID: Lb
API String ID: 2331702139-1610255346
Opcode ID: 9b89a0657792ba4ed8466b0a0dea61a5094f4b8db3f340f17de3401f34d64a5f
Instruction ID: 0970779d3fc96b31621d7ab74c194b7106c95f9740d9064184e1ab425826e8ef
Opcode Fuzzy Hash: 9b89a0657792ba4ed8466b0a0dea61a5094f4b8db3f340f17de3401f34d64a5f
Instruction Fuzzy Hash: 1A413A7512A04C8B9E3846384DC457D73A2FB98370B384B13D721E77B8FA35CC969652

Function 0091D80A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0091D813

Strings

csm, xrefs: 0091D8A6
csm, xrefs: 0091D835

Memory Dump Source

Source File: 00000005.00000002.2118421809.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000005.00000002.2118343678.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118502961.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118524362.0000000000928000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118611121.0000000000929000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118656748.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118689971.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2118806671.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: eb744694110bdf424562a2c4282076e587ed1b4350da5da2feaa1d02ac9ce50e
Instruction ID: ef117686a863f45efd8534e9d5d686ff881c0928c96a6203cde0a80e5e34b0d1
Opcode Fuzzy Hash: eb744694110bdf424562a2c4282076e587ed1b4350da5da2feaa1d02ac9ce50e
Instruction Fuzzy Hash: 61319E32A1221DABCF269F90DC449EA7B7AFF49319B18859AF85449121C336CCE1DB81

Analysis Process: nRIsFYood8.exePID: 1912, Parent PID: 6320COMMON

Non-executed Functions

Function 0090FAF0 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 292COMMON

Download Yara Rule

Strings

/3|>, xrefs: 0090FC01
/3|>, xrefs: 0090FD8C
/3|>, xrefs: 0090FD82
/3|>, xrefs: 0090FDBD

Memory Dump Source

Source File: 00000007.00000002.2117349119.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000007.00000002.2117267728.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117417009.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117491177.0000000000928000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117542692.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117581657.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117757082.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID:
String ID: /3|>$/3|>$/3|>$/3|>
API String ID: 0-3543310136
Opcode ID: 4fddb68f14bbd258e14efc69d1f3e4f6db338dd5db3e1c8bf344e1ff081fa10b
Instruction ID: 5ac8e8f9dbb35d0c16c392c9c72c67708bd1a6c57705141da083f07f198e7bac
Opcode Fuzzy Hash: 4fddb68f14bbd258e14efc69d1f3e4f6db338dd5db3e1c8bf344e1ff081fa10b
Instruction Fuzzy Hash: 86A12F362147054FCA389F28D5F862D72D5DBC6320F608A36E55ACB7F5D734CA819B42

Function 0091ADAF Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0091AE9F

Memory Dump Source

Source File: 00000007.00000002.2117349119.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000007.00000002.2117267728.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117417009.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117491177.0000000000928000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117542692.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117581657.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117757082.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: db746e25c95c55fba1ed48ceaf5eb8a39dcdddbd57a395c538b28cf8f61a08cb
Instruction ID: 69bb749e5535a9e0e716bfe003dcefe005db3c2891f6f8ed32c9271b355638ee
Opcode Fuzzy Hash: db746e25c95c55fba1ed48ceaf5eb8a39dcdddbd57a395c538b28cf8f61a08cb
Instruction Fuzzy Hash: 4171D3B1A0A15C6FDF21AF28DC89AFEB7B9AF45300F1441D9E049A7251DB314EC69F11

Function 00915133 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0091513F
IsDebuggerPresent.KERNEL32 ref: 0091520B
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0091522B
UnhandledExceptionFilter.KERNEL32(?), ref: 00915235

Memory Dump Source

Source File: 00000007.00000002.2117349119.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000007.00000002.2117267728.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117417009.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117491177.0000000000928000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117542692.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117581657.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117757082.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: be57e68b8fb4460ab650eb8da861e85d585296af8c09f3295874102bcc1c15d4
Instruction ID: 405377c26a20cdac3beca877ae58b8072a6cdcd5218cf5f03b82fe35da3916ed
Opcode Fuzzy Hash: be57e68b8fb4460ab650eb8da861e85d585296af8c09f3295874102bcc1c15d4
Instruction Fuzzy Hash: 32310575E0921CDBDB21DFA4D9897CCBBB8AF48300F1141AAE40CAB250EB719B858F45

Function 0091DB71 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMON

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 0091DC90
___TypeMatch.LIBVCRUNTIME ref: 0091DD9E
CatchIt.LIBVCRUNTIME ref: 0091DDEF
_UnwindNestedFrames.LIBCMT ref: 0091DEF0
CallUnexpected.LIBVCRUNTIME ref: 0091DF0B

Strings

csm, xrefs: 0091DCC7
csm, xrefs: 0091DBAE
csm, xrefs: 0091DC1B

Memory Dump Source

Source File: 00000007.00000002.2117349119.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000007.00000002.2117267728.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117417009.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117491177.0000000000928000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117542692.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117581657.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117757082.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4119006552-393685449
Opcode ID: 664cbd589331c8ec8ad9e79611b345bd62da015b64b653a851215e646e891a48
Instruction ID: 1db03e7d7bb43b3315f032b35a2f5359859c92d59704ae2659583fefcdc25ca0
Opcode Fuzzy Hash: 664cbd589331c8ec8ad9e79611b345bd62da015b64b653a851215e646e891a48
Instruction Fuzzy Hash: 38B19D71A0220EEFCF19DFA4D881AEEB7B9FF54310F10495AE8116B252C731DA91CB91

Function 00915890 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 009158C7
___except_validate_context_record.LIBVCRUNTIME ref: 009158CF
_ValidateLocalCookies.LIBCMT ref: 00915958
__IsNonwritableInCurrentImage.LIBCMT ref: 00915983
_ValidateLocalCookies.LIBCMT ref: 009159D8

Strings

csm, xrefs: 0091596D

Memory Dump Source

Source File: 00000007.00000002.2117349119.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000007.00000002.2117267728.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117417009.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117491177.0000000000928000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117542692.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117581657.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117757082.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: cc8ee639d87e78a4e895ae1c80aa3573d85fd4221d6ffa734068e338f79a76de
Instruction ID: 378921020ce8e2b59e860b863544935abc6a110e750eedfa0644e8b8fee6cc4a
Opcode Fuzzy Hash: cc8ee639d87e78a4e895ae1c80aa3573d85fd4221d6ffa734068e338f79a76de
Instruction Fuzzy Hash: 8441D634B0060DDBCF14DF68C885ADEBBB5BF84324F568095E8185B351D7319A85CB92

Function 00917F65 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00918074,?,16CFE936,00000000,0091492F,?,?,00917E26,00000022,FlsSetValue,00922788,00922790,0091492F), ref: 00918026

Strings

ext-ms-, xrefs: 00917FD0
api-ms-, xrefs: 00917FBC

Memory Dump Source

Source File: 00000007.00000002.2117349119.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000007.00000002.2117267728.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117417009.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117491177.0000000000928000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117542692.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117581657.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117757082.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 3851424c17c9fcb6b129e8c959cb62914770ce83ad4f734d063e1003018fbd83
Instruction ID: 402d1f63ede4515caadb7de5179c3f6aafb5d68a9bbb9075a0bcff3fc75c9d22
Opcode Fuzzy Hash: 3851424c17c9fcb6b129e8c959cb62914770ce83ad4f734d063e1003018fbd83
Instruction Fuzzy Hash: B8210832B1D21AABDB319B64AC40ADB776CAF453A0F110510ED06B7290DB71ED42E6D0

Function 0091F3A6 Relevance: 9.2, APIs: 6, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,7FFFFFFF,?,0091F391,?,?,?,?,?,?,?,?,?,?), ref: 0091F44C
__freea.LIBCMT ref: 0091F5E1
__freea.LIBCMT ref: 0091F5E7
__freea.LIBCMT ref: 0091F61D
__freea.LIBCMT ref: 0091F623
__freea.LIBCMT ref: 0091F633

Memory Dump Source

Source File: 00000007.00000002.2117349119.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000007.00000002.2117267728.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117417009.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117491177.0000000000928000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117542692.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117581657.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117757082.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: __freea$Info
String ID:
API String ID: 541289543-0
Opcode ID: 133a19b98821debcd80cbf7fd47e76880580780b5cdbb19049803061f077ef7f
Instruction ID: e998e2a8312903ac8dc961d3d3b123ba8b81e6593ed346d4a032f66af9194c13
Opcode Fuzzy Hash: 133a19b98821debcd80cbf7fd47e76880580780b5cdbb19049803061f077ef7f
Instruction Fuzzy Hash: 0871F532B0020E6BDF209EA49C65BFF77BA9F89354F280475F818A7291DA35DCC18761

Function 00917827 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0091781E,0091566F,00915292), ref: 00917835
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00917843
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0091785C
SetLastError.KERNEL32(00000000,0091781E,0091566F,00915292), ref: 009178AE

Memory Dump Source

Source File: 00000007.00000002.2117349119.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000007.00000002.2117267728.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117417009.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117491177.0000000000928000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117542692.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117581657.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117757082.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 59274c59832e5351cecc2b61f85e23c3166200b18b026ea61d9822532d92a3a7
Instruction ID: 58fa2f8efd09fc4d0e8e0c809f23f158d410f32fd47a3e41c003292908d61480
Opcode Fuzzy Hash: 59274c59832e5351cecc2b61f85e23c3166200b18b026ea61d9822532d92a3a7
Instruction Fuzzy Hash: 2201283231F21AAEAB342AF9ACCAAE7A668DF503783200269F010501E1EF114CC2E154

Function 00907920 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 140COMMON

Download Yara Rule

Strings

]SV8, xrefs: 009079CD
string too long, xrefs: 00907B3D
]SV8, xrefs: 00907A9E
]SV8, xrefs: 00907977

Memory Dump Source

Source File: 00000007.00000002.2117349119.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000007.00000002.2117267728.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117417009.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117491177.0000000000928000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117542692.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117581657.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117757082.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID:
String ID: ]SV8$]SV8$]SV8$string too long
API String ID: 0-227100900
Opcode ID: 695d072776dcbce87952e4ca5f963691062cd7114b5d6058bc8deecaab12a52f
Instruction ID: a2f42fd3a8f80970c5089ec207df4f12798c3e5d69409cd19b5a122358136329
Opcode Fuzzy Hash: 695d072776dcbce87952e4ca5f963691062cd7114b5d6058bc8deecaab12a52f
Instruction Fuzzy Hash: 33412326F4C260DFCE3056EC44822AEF1C447857B0FBA4917E8F4AB381E165ED898782

Function 0091DF96 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,0091DE9C,?,?,00000000,00000000,00000000,?), ref: 0091DFBB
CatchIt.LIBVCRUNTIME ref: 0091E0A1

Strings

MOC, xrefs: 0091DFCD
RCC, xrefs: 0091DFD5

Memory Dump Source

Source File: 00000007.00000002.2117349119.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000007.00000002.2117267728.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117417009.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117491177.0000000000928000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117542692.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117581657.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117757082.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: 23c7772cae73dd76bb0ce9f8dc03d6c7da817859a5ec038007c1b35d7a90ce32
Instruction ID: 8b45e1f85e62079cb2d70dc55ffdab6b43a2157b189b85d3aef8776d5365b132
Opcode Fuzzy Hash: 23c7772cae73dd76bb0ce9f8dc03d6c7da817859a5ec038007c1b35d7a90ce32
Instruction Fuzzy Hash: 44415871A0420DEFCF26DF98CD81AEEBBB9BF48300F198499F90567211D37599A0DB50

Function 0091C0C5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000016,00000000,00000800,?,0091C161,?,?,?,?,?,?,0091BFA9,00000000,FlsAlloc,00923080,00923088), ref: 0091C0D2
GetLastError.KERNEL32(?,0091C161,?,?,?,?,?,?,0091BFA9,00000000,FlsAlloc,00923080,00923088,?,?,009177D5), ref: 0091C0DC
LoadLibraryExW.KERNEL32(00000016,00000000,00000000,0091492F,00000016,009174BD,?,?,?,?,?,00000000,?,?,?,00914998), ref: 0091C104

Strings

api-ms-, xrefs: 0091C0E9

Memory Dump Source

Source File: 00000007.00000002.2117349119.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000007.00000002.2117267728.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117417009.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117491177.0000000000928000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117542692.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117581657.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117757082.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 98701764b25bd95771ef2066169ff08ce1780ec3dce6510234e1d09962358abb
Instruction ID: 83584059b4f88bed4d133e80ae7b06c7a7f36da2880ac96634f807e61c6af257
Opcode Fuzzy Hash: 98701764b25bd95771ef2066169ff08ce1780ec3dce6510234e1d09962358abb
Instruction Fuzzy Hash: ACE012717CD309BAEB206FA1EC06B597F599F01B45F104420F94CA80A3D762E8A1A945

Function 0091CB32 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 0091CB95

Part of subcall function 0091B782: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0091C533,?,00000000,-00000008), ref: 0091B7E3

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0091CDE7
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0091CE2D
GetLastError.KERNEL32 ref: 0091CED0

Memory Dump Source

Source File: 00000007.00000002.2117349119.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000007.00000002.2117267728.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117417009.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117491177.0000000000928000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117542692.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117581657.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117757082.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: a085a375234e20d510ed2d986e5954c38e47018f129b84db27852cf96dbaf90b
Instruction ID: cf7c65dbcdd40883301c0db35d46545c9e5ab0a9a7b78f958a75ffde932e0e3b
Opcode Fuzzy Hash: a085a375234e20d510ed2d986e5954c38e47018f129b84db27852cf96dbaf90b
Instruction Fuzzy Hash: 81D16CB5E4425C9FCB15CFA8D880AEDBBB5FF49300F18456AE456EB351D630AD82CB50

Function 0091D99A Relevance: 6.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0091DA61
___AdjustPointer.LIBCMT ref: 0091DA84
___AdjustPointer.LIBCMT ref: 0091DB20

Memory Dump Source

Source File: 00000007.00000002.2117349119.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000007.00000002.2117267728.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117417009.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117491177.0000000000928000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117542692.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117581657.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117757082.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 10c48e339f6ed08307cfe926e00ac431c7c3807bbb01f195dedbb76889dbe43e
Instruction ID: 5637c0f6ad248a8ff68bf657c65b4cdfbd2301402e58888f1b8731af686f9609
Opcode Fuzzy Hash: 10c48e339f6ed08307cfe926e00ac431c7c3807bbb01f195dedbb76889dbe43e
Instruction Fuzzy Hash: 9251B17270A60EDFEB29DF54D881BEAB7A8EF84310F154529E806472A1E735ECD0C790

Function 0091AB8C Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 0091B782: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0091C533,?,00000000,-00000008), ref: 0091B7E3

GetLastError.KERNEL32(?,?,?,00000000,00000000,?,0091AF32,?,?,?,00000000), ref: 0091ABF0
__dosmaperr.LIBCMT ref: 0091ABF7
GetLastError.KERNEL32(00000000,0091AF32,?,?,00000000,?,?,?,00000000,00000000,?,0091AF32,?,?,?,00000000), ref: 0091AC31
__dosmaperr.LIBCMT ref: 0091AC38

Memory Dump Source

Source File: 00000007.00000002.2117349119.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000007.00000002.2117267728.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117417009.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117491177.0000000000928000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117542692.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117581657.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117757082.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 724bd0e4fe017969133ea4b0ec8d17d769f34133284ca5677f52793557385109
Instruction ID: 835fed1fa75384dc543222a64536f783f17d3f7f2d055b1ccc7238dd3e7d7aa4
Opcode Fuzzy Hash: 724bd0e4fe017969133ea4b0ec8d17d769f34133284ca5677f52793557385109
Instruction Fuzzy Hash: 5D21F27130920DAF9B21AF65CC819EBB7ADEF403247108829F86697151D734ECC18B92

Function 0091B128 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2117349119.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000007.00000002.2117267728.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117417009.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117491177.0000000000928000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117542692.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117581657.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117757082.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e880eb6c1bebdb3c56cea8c31d3e2b4dd716c0b57038fb340ae4eb2dba3f21fd
Instruction ID: 47e9550c9952c01195f17dc70ffaeb45822c338d6a84af463b82aa0eb69a496c
Opcode Fuzzy Hash: e880eb6c1bebdb3c56cea8c31d3e2b4dd716c0b57038fb340ae4eb2dba3f21fd
Instruction Fuzzy Hash: F021C03130820DBF9F21AF65CDA1AEB7BAEEF813647128915F82597151EB30ED90C760

Function 0091B87E Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0091B886

Part of subcall function 0091B782: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0091C533,?,00000000,-00000008), ref: 0091B7E3

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0091B8BE
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0091B8DE

Memory Dump Source

Source File: 00000007.00000002.2117349119.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000007.00000002.2117267728.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117417009.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117491177.0000000000928000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117542692.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117581657.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117757082.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 9ef1cccfb8365dc46c4be75e1f5f04356e91067ab0d421cb2c80705c771f2377
Instruction ID: ac3167958e9210d7a08e1352239e4cf2a69401b013038035e7505c4d8b2d5d66
Opcode Fuzzy Hash: 9ef1cccfb8365dc46c4be75e1f5f04356e91067ab0d421cb2c80705c771f2377
Instruction Fuzzy Hash: 661126B171910D7E67212BB29C8ADFFB99EDEC63A87100424F902D1102EB34DE925270

Function 0091F830 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,0091F042,00000000,00000001,00000000,?,?,0091CF24,?,00000000,00000000), ref: 0091F847
GetLastError.KERNEL32(?,0091F042,00000000,00000001,00000000,?,?,0091CF24,?,00000000,00000000,?,?,?,0091C86A,00000000), ref: 0091F853

Part of subcall function 0091F8A4: CloseHandle.KERNEL32(FFFFFFFE,0091F863,?,0091F042,00000000,00000001,00000000,?,?,0091CF24,?,00000000,00000000,?,?), ref: 0091F8B4

___initconout.LIBCMT ref: 0091F863

Part of subcall function 0091F885: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0091F821,0091F02F,?,?,0091CF24,?,00000000,00000000,?), ref: 0091F898

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,0091F042,00000000,00000001,00000000,?,?,0091CF24,?,00000000,00000000,?), ref: 0091F878

Memory Dump Source

Source File: 00000007.00000002.2117349119.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000007.00000002.2117267728.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117417009.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117491177.0000000000928000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117542692.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117581657.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117757082.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: b464bcd43e4fc20987545c16773556808d84de9d14a0438c6b7cf81cb4ff7a52
Instruction ID: 794cbbfe42dab999e2a641ba4332f8ee5d7743c8aabe73e7604346e8d73413fe
Opcode Fuzzy Hash: b464bcd43e4fc20987545c16773556808d84de9d14a0438c6b7cf81cb4ff7a52
Instruction Fuzzy Hash: 05F0C93661911DBBCF322FD5DC19ADA7F66FF483A1B0540A0FE1D96130DA328861EB91

Function 0091D80A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0091D813

Strings

csm, xrefs: 0091D835
csm, xrefs: 0091D8A6

Memory Dump Source

Source File: 00000007.00000002.2117349119.00000000008E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000007.00000002.2117267728.00000000008E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117417009.0000000000922000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117491177.0000000000928000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117542692.000000000092B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117581657.000000000092E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.2117757082.00000000009C4000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8e0000_nRIsFYood8.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: eb744694110bdf424562a2c4282076e587ed1b4350da5da2feaa1d02ac9ce50e
Instruction ID: ef117686a863f45efd8534e9d5d686ff881c0928c96a6203cde0a80e5e34b0d1
Opcode Fuzzy Hash: eb744694110bdf424562a2c4282076e587ed1b4350da5da2feaa1d02ac9ce50e
Instruction Fuzzy Hash: 61319E32A1221DABCF269F90DC449EA7B7AFF49319B18859AF85449121C336CCE1DB81

Analysis Process: nRIsFYood8.exePID: 2196, Parent PID: 6320COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.2%
Total number of Nodes:	72
Total number of Limit Nodes:	6

Executed Functions

Function 0040C010 Relevance: 10.5, Strings: 8, Instructions: 506
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Q5A+, xrefs: 0040C1A8
q%[, xrefs: 0040C1D0
u3k, xrefs: 0040C248
<I3O, xrefs: 0040C202
M)H/, xrefs: 0040C1B2
Hi)o, xrefs: 0040C252
+U2K, xrefs: 0040C1F8
gu, xrefs: 0040C11C

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID: +U2K$<I3O$Hi)o$M)H/$Q5A+$gu$q%[$u3k
API String ID: 0-2654102676
Opcode ID: e37b279088aa9e9ff6a8976a85943de1ef5cfe595219842a18ef7a47e1bbe495
Instruction ID: b1b05ba5c2625d8353ffea0139eccd56bdc201347ec8aedd005e5d8159706977
Opcode Fuzzy Hash: e37b279088aa9e9ff6a8976a85943de1ef5cfe595219842a18ef7a47e1bbe495
Instruction Fuzzy Hash: 371288B6500B00CFD3248F25D881797BBF2FF8A315F148A2DD5AA9BAA4DB74A505CF44

Function 004097D0 Relevance: 7.7, APIs: 5, Instructions: 152
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004097F2
GetCurrentThreadId.KERNEL32 ref: 00409805
GetCurrentProcessId.KERNEL32 ref: 0040980D
GetForegroundWindow.USER32 ref: 00409929

Part of subcall function 0040D9D0: CoInitializeEx.OLE32(00000000,00000002), ref: 0040D9E3

ExitProcess.KERNEL32 ref: 004099A5

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundInitializePathSpecialThreadWindow
String ID:
API String ID: 3701390975-0
Opcode ID: 6d16750194a2f212537b73d3d0cf383b2dbc6827668ba2349d8d7d784b6a70ea
Instruction ID: 30cae4b825af8c2fa6083d2a6418ec44d17d0461e62e3f16e796d2978b265e9f
Opcode Fuzzy Hash: 6d16750194a2f212537b73d3d0cf383b2dbc6827668ba2349d8d7d784b6a70ea
Instruction Fuzzy Hash: 52412CB7B443105BD308AFBADC8634AF6D75BC8740F0A853EA998DB391ED7C9C058685

Function 0043E1F0 Relevance: 2.6, Strings: 2, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 0043E2B5
Pt1, xrefs: 0043E340

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID: InitializeThunk
String ID: @$Pt1
API String ID: 2994545307-1130223541
Opcode ID: 78bfb72f01a067a3b6451a8b44a2e1ba9554178c3efbd0806f164a2608c2ebc2
Instruction ID: 835d27e07f702b660d3c2a5661e14795ad4ec7e3357e2f17cf216423b219d1c8
Opcode Fuzzy Hash: 78bfb72f01a067a3b6451a8b44a2e1ba9554178c3efbd0806f164a2608c2ebc2
Instruction Fuzzy Hash: 3E4142B1A093108BCB14CF65C89172BB7E5FFCA314F09996DE9855B3D1E3399808C79A

Function 004392E0 Relevance: 1.5, APIs: 1, Instructions: 35
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 0043933E

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 454574f5df473f0fcd311bed3fa3b8d3e91aadd4231d0f7881f6cb84b11e454d
Instruction ID: e9a4905110f65b680acdd64c4bcc2954274404b2490b19d1be58e77edbb5e721
Opcode Fuzzy Hash: 454574f5df473f0fcd311bed3fa3b8d3e91aadd4231d0f7881f6cb84b11e454d
Instruction Fuzzy Hash: 6BF0503291821047D7058F18ED1162BB7E2EFD6702F04652CD88457358D6345CA9C7D6

Function 0043BD50 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0043E1CB,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043BD7E

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0043BFC4 Relevance: 1.4, Strings: 1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 0043C14D

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: b4f1cb7713f3bbaa482dbc133f5e453daebe41d40e13292ff672967ff33896a4
Instruction ID: dbfe6d112098772e5bd12676952dd1adc64d39192a6df5367413ff1dcc72030f
Opcode Fuzzy Hash: b4f1cb7713f3bbaa482dbc133f5e453daebe41d40e13292ff672967ff33896a4
Instruction Fuzzy Hash: 2E41C0746183418AD704CF25C8A032BB7F2FFDA358F14A92DE1D5A7391EB798505CB4A

Function 0043C93F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043C93F
GetForegroundWindow.USER32 ref: 0043C950

Strings

[8, xrefs: 0043C961

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID: ForegroundWindow
String ID: [8
API String ID: 2020703349-3360502610
Opcode ID: 9d1e950ba41eeb6a8cd7434b4fb02773004aa458483931c6cd6b17b70f125540
Instruction ID: 9e5ed0678112a10ccb792e2953427659fcc4a6ce57a692c15ad2b16f6a96b260
Opcode Fuzzy Hash: 9d1e950ba41eeb6a8cd7434b4fb02773004aa458483931c6cd6b17b70f125540
Instruction Fuzzy Hash: 2DD0A7FCD208009BD2049721FC4640E36259B47219B1C903EEC038336AEA35756985DF

Function 00434A81 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 00434AA7

Strings

7, xrefs: 00434AB8

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID: DefaultLanguageUser
String ID: 7
API String ID: 95929093-1790921346
Opcode ID: e48493c5030b03a4a4aad6e2291b0e8c5b3c5453de088515ae4d54885c95b823
Instruction ID: 73f866cce55d3ad596866814da12b013a7a5d43e28f21ceeb697b027c465ecce
Opcode Fuzzy Hash: e48493c5030b03a4a4aad6e2291b0e8c5b3c5453de088515ae4d54885c95b823
Instruction Fuzzy Hash: 3921D571D052A58FDB29CB28CC507E87BA1AFA9304F1880FDC88997381DBB54E85DB11

Function 0043BCA0 Relevance: 1.6, APIs: 1, Instructions: 67
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 0043BD1E

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9b10c5431afd6d598bc4c5c8a277ca9eeba4b590cc18c47f66cc77c3f2a9d763
Instruction ID: e2cb3795bc1eadce81b2846e30962cc0ba9191ac88b0bd4b3be60c859d726456
Opcode Fuzzy Hash: 9b10c5431afd6d598bc4c5c8a277ca9eeba4b590cc18c47f66cc77c3f2a9d763
Instruction Fuzzy Hash: 980145B1A093018BE314AF39EC5171BBBA6DFD9301F0C897DE88447242D639C802C6E6

Function 00439350 Relevance: 1.5, APIs: 1, Instructions: 45
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 004393D6

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: f487c73939820d9f0abc856d41cedbdfe3ada60f06f73499ca69d9f34b8f43b2
Instruction ID: 2e92f107defa413c3d6d52a159c2ed4d4b040cd68aa173e9ad62f9441bcf4337
Opcode Fuzzy Hash: f487c73939820d9f0abc856d41cedbdfe3ada60f06f73499ca69d9f34b8f43b2
Instruction Fuzzy Hash: 0601D43265D240DBE3019F29EC08B0B7BA2FFC5712F168479E8848B2A5DA349C51CB99

Non-executed Functions

Function 00436C70 Relevance: 28.6, APIs: 10, Strings: 6, Instructions: 552memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00441688,00000000,00000001,00441678,00000000), ref: 00436D55
SysAllocString.OLEAUT32(519F4F9E), ref: 00436DE9
CoSetProxyBlanket.OLE32(00006360,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00436E36
SysAllocString.OLEAUT32(519F4F9E), ref: 00436E93
SysAllocString.OLEAUT32(519F4F9E), ref: 00436F27
VariantInit.OLEAUT32(?), ref: 00436F92
VariantClear.OLEAUT32(?), ref: 0043722F
SysFreeString.OLEAUT32(?), ref: 0043725A
SysFreeString.OLEAUT32(?), ref: 00437260
SysFreeString.OLEAUT32(?), ref: 00437274

Strings

\, xrefs: 00436D0F
C, xrefs: 00436D04
`c, xrefs: 00436D8B
8m3o, xrefs: 00436EA5
>MO, xrefs: 00436EE5
@A, xrefs: 00436EFD

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInitInstanceProxy
String ID: 8m3o$>MO$@A$C$\$`c
API String ID: 2485776651-2658333405
Opcode ID: 1d2bd77d2f5f7caf0454915367745d6727aefacf9c74d29b2ed396a45a5684bf
Instruction ID: ad8773570ab28036c33516c8e3a3094498ec089d9d43c2a109f1c9c80c6a78d3
Opcode Fuzzy Hash: 1d2bd77d2f5f7caf0454915367745d6727aefacf9c74d29b2ed396a45a5684bf
Instruction Fuzzy Hash: 7C0201B16083019FD720CF64C881B6BBBE4EB99304F144A2EF9D49B391D378D905CB9A

Function 00431FC0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 128clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00431FD4
GetWindowLongW.USER32 ref: 00431FF9
GetClipboardData.USER32 ref: 00432009
GlobalLock.KERNEL32 ref: 00432028
GlobalUnlock.KERNEL32 ref: 00432157
CloseClipboard.USER32 ref: 00432162

Strings

A, xrefs: 00432091
B, xrefs: 00432087
[, xrefs: 004320B4
Y, xrefs: 00432073

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: A$B$Y$[
API String ID: 2832541153-2154998070
Opcode ID: 920ef3021efc1b962a6fa1ceabe0f3094b2a39be6007f7f032737ebb33e3d35e
Instruction ID: 81fa5b390ead5b237b10f89e922a4ac482c7f755ced659a212cf2c2239b04545
Opcode Fuzzy Hash: 920ef3021efc1b962a6fa1ceabe0f3094b2a39be6007f7f032737ebb33e3d35e
Instruction Fuzzy Hash: D241B2B150C7818ED300AF78998935FFFE0AB96314F040A3EE5E587392D2B88549C7A7

Function 0041DFB0 Relevance: 15.8, Strings: 12, Instructions: 811COMMON

Download Yara Rule

Strings

o[so, xrefs: 0041E2D8
nonb, xrefs: 0041E310
re, xrefs: 0041E38A
0, xrefs: 0041E640
rsc`, xrefs: 0041E2C0
qsEx, xrefs: 0041E2A8
w~{K, xrefs: 0041E2B0
Pdii, xrefs: 0041E2C8
[G, xrefs: 0041E3A0
YX\Z, xrefs: 0041E630
'|pr, xrefs: 0041E37F
LDBF, xrefs: 0041E638

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID: '|pr$0$LDBF$Pdii$YX\Z$nonb$o[so$qsEx$re$rsc`$w~{K$[G
API String ID: 0-4281471547
Opcode ID: b34b3a46ad1637ce006e4515224871060e50798931c3b2b1a9b06e6b50043976
Instruction ID: 5729dd979d1b1dec59020eca68ecbdd4c8dff703c8e8299ac73bf869d9652f19
Opcode Fuzzy Hash: b34b3a46ad1637ce006e4515224871060e50798931c3b2b1a9b06e6b50043976
Instruction Fuzzy Hash: 3B5249785083908FD721CF26C8507AFBFE1AF96314F08866DE8E45B392D7398945CB96

Function 00427868 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 466fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,00000000), ref: 0042790A

Strings

EH@M, xrefs: 00427A41
7#v, xrefs: 0042790A
@A, xrefs: 004278B8
Ajpe, xrefs: 00427A11
aHXN, xrefs: 00427A19
P@EZ, xrefs: 00427A31

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID: CopyFile
String ID: @A$Ajpe$EH@M$P@EZ$aHXN$7#v
API String ID: 1304948518-3194046575
Opcode ID: d9ae31c5bde07b7d61cf8becd89436ad3e924bec19cdef35b8828f95b3528530
Instruction ID: c82895026a04a5e975f7aad0224282635a61f90717a453b8bd3668ae38339091
Opcode Fuzzy Hash: d9ae31c5bde07b7d61cf8becd89436ad3e924bec19cdef35b8828f95b3528530
Instruction Fuzzy Hash: AEE14676A087108BD7148F29D84032BB7E2FBC9314F598A3DE9959B392DB749D01CB86

Function 00419960 Relevance: 11.2, Strings: 8, Instructions: 1228COMMON

Download Yara Rule

Strings

%&' , xrefs: 00419DC5
%&' , xrefs: 0041A5D4
\], xrefs: 00419D61
}{, xrefs: 00419D21
%&' , xrefs: 00419C70, 00419CC2
=us, xrefs: 00419D11
%&' , xrefs: 00419995
TU, xrefs: 00419C32

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID: InitializeThunk
String ID: %&' $%&' $%&' $%&' $=us$TU$\]$}{
API String ID: 2994545307-1235908376
Opcode ID: db835c5f5a0e37226ab22bb2f382675d7492604525f9c11a8bcefb2899f4cdec
Instruction ID: 481cff7c60b6dadff782b42446a97254938e7861538370baa376d26b331321ad
Opcode Fuzzy Hash: db835c5f5a0e37226ab22bb2f382675d7492604525f9c11a8bcefb2899f4cdec
Instruction Fuzzy Hash: 2082F77460C3409BD724CF24D891BABB7E2FBC5314F18492EE091872A2D779DC95CB9A

Function 00424E16 Relevance: 10.7, Strings: 8, Instructions: 741COMMON

Download Yara Rule

Strings

TM, xrefs: 00424F80, 00424FB8, 00424FCE, 0042500C
%&' , xrefs: 00424FBD, 00424FCA, 00424EDA, 00424EE3
}{, xrefs: 00424F44
6B , xrefs: 00424B7A
%&' , xrefs: 00424BF8
%&' , xrefs: 00424CF6
TB, xrefs: 00424B60
6B , xrefs: 004254FA

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID: %&' $%&' $%&' $6B $6B $TM$}{$TB
API String ID: 0-532389244
Opcode ID: a35753d0151c3b60badbe6e872e94605f228196ad39ec38a943036cf7ea1f1a3
Instruction ID: eb1f00ebf2511f765ef4388181a6606454bf0ec366917ec423cabb604cc617b6
Opcode Fuzzy Hash: a35753d0151c3b60badbe6e872e94605f228196ad39ec38a943036cf7ea1f1a3
Instruction Fuzzy Hash: AD32143A618762CBC324CF28D8806ABB3F1FFC5740F96892DD5855B360E7349945CB96

Function 004204D0 Relevance: 9.2, Strings: 7, Instructions: 415COMMON

Download Yara Rule

Strings

Y`, xrefs: 00420662
`z, xrefs: 0042055C
$b, xrefs: 00420652
`q, xrefs: 00420554
SF, xrefs: 00420564
HY, xrefs: 0042065A
#2, xrefs: 0042056C

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID: #2$$b$HY$SF$Y`$`q$`z
API String ID: 0-4091382525
Opcode ID: fd6ac7d2d5d23bbf4ee613f151b1bfed1fcd6196b6525023b93362c9c589667a
Instruction ID: 3ba57f9c575523b23b7d6df1398b1c68537699cc24aefff67a75ee7efb0deefe
Opcode Fuzzy Hash: fd6ac7d2d5d23bbf4ee613f151b1bfed1fcd6196b6525023b93362c9c589667a
Instruction Fuzzy Hash: E4C10FB46083608BD324CF25D85176BB7F2EFD2354F549A1DE4D28B3A2E7789801CB96

Function 0042885D Relevance: 6.5, Strings: 5, Instructions: 273COMMON

Download Yara Rule

Strings

4WVU, xrefs: 004288BF
`+E), xrefs: 004288AA
<i(o, xrefs: 004289E5
VkX, xrefs: 00428A54
:kX, xrefs: 00428A09

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID: 4WVU$:kX$<i(o$VkX$`+E)
API String ID: 0-3841067578
Opcode ID: 439e4857075c349a7fb4fedd1c4efff3b500e6e324aa6ab0e2b1f54ef0314c57
Instruction ID: f44c6c7f5bca706c4fa7f0ed0acfeb6a0dd74a46477722201e04d3942d18dcd6
Opcode Fuzzy Hash: 439e4857075c349a7fb4fedd1c4efff3b500e6e324aa6ab0e2b1f54ef0314c57
Instruction Fuzzy Hash: F691BEB1A04229CFDB24CF68D89179EB7B2FF45304F1481ADD409AB381DB749946CF94

Function 00423253 Relevance: 6.5, Strings: 5, Instructions: 252COMMON

Download Yara Rule

Strings

I7UI, xrefs: 00423741
S3W5, xrefs: 0042373A
9ONA, xrefs: 0042374F
9ONA1K-MI7UIS3W5, xrefs: 00423712, 00423728
1K-M, xrefs: 00423748

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID: 1K-M$9ONA$9ONA1K-MI7UIS3W5$I7UI$S3W5
API String ID: 0-933187647
Opcode ID: d9da36b1f5715e8b6bdb990c6daa5d14cf0e5f03349bc556164c80d9ac8ee8d6
Instruction ID: e0283fb1006ed4bb59ca0cf6125c82c8dc20a5f9c720f786e34110af42902227
Opcode Fuzzy Hash: d9da36b1f5715e8b6bdb990c6daa5d14cf0e5f03349bc556164c80d9ac8ee8d6
Instruction Fuzzy Hash: F96125B5E00221CBDF10CF68D88167B77B1FF56321F098269D955AF3A5E3399901C7A4

Function 0040EBC9 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 339COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0040EBDE

Strings

u+M), xrefs: 0040EFA0
,S, xrefs: 0040EF87
JKJI, xrefs: 0040EF10

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID: Uninitialize
String ID: ,S$JKJI$u+M)
API String ID: 3861434553-1841215335
Opcode ID: fd89fb04e6af2126ec7d0c4f413b291d3b460eb8454ac9b8c61eaa5ba84f913a
Instruction ID: 55e010f4fa73efb4a4babe51be54a72a77015259f1a581acd063b01848d723c6
Opcode Fuzzy Hash: fd89fb04e6af2126ec7d0c4f413b291d3b460eb8454ac9b8c61eaa5ba84f913a
Instruction Fuzzy Hash: F7B1FF7110D3D28BD3358F25C4913EBBFE1AFA6300F18896DD0D9AB382D77949058B96

Function 00432A7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00432AA9
GetSystemMetrics.USER32 ref: 00432AB8

Strings

, xrefs: 00432B8F

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: d51e656c3f0659f1d8f80fd5f7a95a7b1c6d89b1967178bbec7390e98a946ffb
Instruction ID: 019e6ba3795b3c03f62bcf095e5b0997e948dbd85c1b209d1844a7f659c394df
Opcode Fuzzy Hash: d51e656c3f0659f1d8f80fd5f7a95a7b1c6d89b1967178bbec7390e98a946ffb
Instruction Fuzzy Hash: CD4163B4D152099FCB44EFA8E98565EBBF1AF88300F10452EE458E7360D774A985CF86

Function 00439AD0 Relevance: 4.4, Strings: 3, Instructions: 642COMMON

Download Yara Rule

Strings

%&' , xrefs: 00439B09
%&' , xrefs: 00439D45
f, xrefs: 00439D11

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID: InitializeThunk
String ID: %&' $%&' $f
API String ID: 2994545307-3010120656
Opcode ID: 248e33c4c06c48379433ce6513a51dcf0841d0ac621abc670da680c12b6cd1c1
Instruction ID: 9deefebcd34f35767ace8f4904bd4158d32b562d5276463c9a2b017ec6f190b1
Opcode Fuzzy Hash: 248e33c4c06c48379433ce6513a51dcf0841d0ac621abc670da680c12b6cd1c1
Instruction Fuzzy Hash: A612C1306083418FD725CF28C890B2BBBE1EB8D314F249A2EE495973A1D779DC55CB96

Function 00425880 Relevance: 4.0, Strings: 3, Instructions: 253COMMON

Download Yara Rule

Strings

LF, xrefs: 00425983
|}, xrefs: 00425B08
\I, xrefs: 0042597B

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID: LF$\I$|}
API String ID: 0-4141390281
Opcode ID: 201f21aec899f43067aa6e29d329dfad84e60ca86d00958dff0a26e1023ca861
Instruction ID: 17783d7788e1c827662370205eab14a350d4785b202bdae7be3575e700f5491e
Opcode Fuzzy Hash: 201f21aec899f43067aa6e29d329dfad84e60ca86d00958dff0a26e1023ca861
Instruction Fuzzy Hash: 6B7126B16083508BD714DF25D89126BBBF2FFC5314F489A2DE4D58B390EB788905CB9A

Function 004176C7 Relevance: 3.3, Strings: 2, Instructions: 776COMMON

Download Yara Rule

Strings

K7, xrefs: 0041770F
`b]}, xrefs: 00417910

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID: InitializeThunk
String ID: K7$`b]}
API String ID: 2994545307-3709244666
Opcode ID: 0914da04c00a9f28c935515729d7f61da11a0df7f9d4a27bb10e334df14ffdc2
Instruction ID: d2007eeb78510559131517ca7fd8e74501e851e0118eb468ad6ad3dcc6f41d87
Opcode Fuzzy Hash: 0914da04c00a9f28c935515729d7f61da11a0df7f9d4a27bb10e334df14ffdc2
Instruction Fuzzy Hash: DB22B3342087418FD7358F24D891AB777F2EF56310F2484AED496873A5C739E886CB58

Function 0041C80F Relevance: 3.2, Strings: 2, Instructions: 748COMMON

Download Yara Rule

Strings

rI, xrefs: 0041CC8F
sF, xrefs: 0041CC96

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID: rI$sF
API String ID: 0-2903080881
Opcode ID: 5e7e44dc337993bd122ba9c18756c877f277e5ec9f777f8cf69c3abaeff0b7dc
Instruction ID: 8057630bebcbbd45bcbb78d1cad175ef165272c3d78d6a3fef1cbd93612b6d3b
Opcode Fuzzy Hash: 5e7e44dc337993bd122ba9c18756c877f277e5ec9f777f8cf69c3abaeff0b7dc
Instruction Fuzzy Hash: 0312F5B49402118BCB24CF24CC926B7B7B1FF56314F18965DD8966B391E338A882CBD9

Function 0042C01F Relevance: 3.0, Strings: 2, Instructions: 461COMMON

Download Yara Rule

Strings

)./q, xrefs: 0042C40B
%+!2, xrefs: 0042C401

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID: %+!2$)./q
API String ID: 0-1153254033
Opcode ID: dc7465130530511a0838eb428e5d57b65cf806d00e4661139010a461de61e988
Instruction ID: 52f46f83695e43a924619aa679c3daba762e03d7c2ec0f182c189aeb2fe8ac26
Opcode Fuzzy Hash: dc7465130530511a0838eb428e5d57b65cf806d00e4661139010a461de61e988
Instruction Fuzzy Hash: C0E10620604B908EE725CF35D4917B7BBE19F57304F5888AEC4DA8B383D739A50ACB65

Function 004378AF Relevance: 2.9, Strings: 2, Instructions: 433COMMON

Download Yara Rule

Strings

lm, xrefs: 00437C07
8,4, xrefs: 00437B48

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID: lm$8,4
API String ID: 0-2216838429
Opcode ID: 2631799fb5cf84c9f5af83ea10d7d88ef34cbe37ebec547e10cc70293cd1d5e5
Instruction ID: 2209f4a6cc269706435be9d5c77f0bef970c3ac6184fd4ae7dc296662d7915cb
Opcode Fuzzy Hash: 2631799fb5cf84c9f5af83ea10d7d88ef34cbe37ebec547e10cc70293cd1d5e5
Instruction Fuzzy Hash: CFD1E17962C312CBC7249F28D891267B7E2FF4A361F0AD879C4858B6A0E739C851C755

Function 0040A760 Relevance: 2.8, Strings: 2, Instructions: 339COMMON

Download Yara Rule

Strings

(, xrefs: 0040A966
, xrefs: 0040A915

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID: ($
API String ID: 0-2490287680
Opcode ID: 7f6527a79b4093fef15f75508c66f8d8973ea2b302c5b25334b75fae5e847f49
Instruction ID: 36c4be41318bff5fa83ed68d5de95e3c35e2452476be694389d5d5af30e8e9cd
Opcode Fuzzy Hash: 7f6527a79b4093fef15f75508c66f8d8973ea2b302c5b25334b75fae5e847f49
Instruction Fuzzy Hash: EBB1EF701083808FD314CF2688906ABBBE5AFD2314F148D2DE4E29B391D778D50ACB57

Function 0041552C Relevance: 2.8, Strings: 2, Instructions: 274COMMON

Download Yara Rule

Strings

BVA, xrefs: 0041562B
@XA, xrefs: 00415612, 0041583A

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID: @XA$BVA
API String ID: 0-3982343031
Opcode ID: a1adea0b066652388dbb1eb403d9d27b07881e2a04940dfa56c2c3db04915a1a
Instruction ID: b20f216eafba797344dc6a8561f20ec03d543d43c6b8fe19533fac4ec9456562
Opcode Fuzzy Hash: a1adea0b066652388dbb1eb403d9d27b07881e2a04940dfa56c2c3db04915a1a
Instruction Fuzzy Hash: 57713479904210CBD714EF14EC937BB73A1FFD6318F48442DE9824B2A2E7399916C79A

Function 0042942A Relevance: 2.7, Strings: 2, Instructions: 238COMMON

Download Yara Rule

Strings

ik, xrefs: 004295FA
efg, xrefs: 00429601

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID: efg$ik
API String ID: 0-2163528820
Opcode ID: bf394dfa9eda4322cdfa4c5711ecd435e2ade288c5e2b607038a50a12dd7575e
Instruction ID: a607444bdb5d4e4787574faa09cf29184f0e0e54bb0f56ea34e900ebf0cdefc3
Opcode Fuzzy Hash: bf394dfa9eda4322cdfa4c5711ecd435e2ade288c5e2b607038a50a12dd7575e
Instruction Fuzzy Hash: BE919DB4D042199FCF00CFA8D852AEEB7B1FF4A304F1881AAD415AB352D739A911CB65

Function 004048D0 Relevance: 2.7, Strings: 2, Instructions: 217COMMON

Download Yara Rule

Strings

J@, xrefs: 00404AD9
BI@, xrefs: 00404933

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID: BI@$J@
API String ID: 0-2798670126
Opcode ID: b4299cc53823bc2e11cebf376c06a3df0d03dba20f71b2bda1fcbc40b246777e
Instruction ID: 5e5616a0ec8059616e538aab585c495c4a6e4d77a71613587c596025eb7374cc
Opcode Fuzzy Hash: b4299cc53823bc2e11cebf376c06a3df0d03dba20f71b2bda1fcbc40b246777e
Instruction Fuzzy Hash: 2971BC7A619201CFD704CF24D49136ABBF0FB8AB16F0584BDE8859B290DB78DA54CF45

Function 00437360 Relevance: 2.7, Strings: 2, Instructions: 202COMMON

Download Yara Rule

Strings

%&' , xrefs: 004373C5
%&' , xrefs: 00437465

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID: %&' $%&'
API String ID: 0-1644610688
Opcode ID: 4301fc593a5ecec86d147e266f002d301e88448a825c7124c701315af40b9b7d
Instruction ID: a0a25cb1300b1d5389b0a3530be3fb3d79f2aa39baea63916dc317a2b1190a9d
Opcode Fuzzy Hash: 4301fc593a5ecec86d147e266f002d301e88448a825c7124c701315af40b9b7d
Instruction Fuzzy Hash: 4851157420C300EBD720DF28D881B3BB7E5EB8A304F10A82DE5C597291D779D816CB6A

Function 0042B873 Relevance: 2.7, Strings: 2, Instructions: 191COMMON

Download Yara Rule

Strings

B+}y, xrefs: 0042BA8E
&@>e, xrefs: 0042BA70

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID: &@>e$B+}y
API String ID: 0-471208924
Opcode ID: ca42c1d59bdb4e22d6453571b30a13625ef883859d8464f18dfa5a3c2ea22ec4
Instruction ID: ec36e0fa73306624c4a606d6dcb608170d88e7bc1d9ca65dd33c21873609c000
Opcode Fuzzy Hash: ca42c1d59bdb4e22d6453571b30a13625ef883859d8464f18dfa5a3c2ea22ec4
Instruction Fuzzy Hash: A55125A0205B918AD7268B3590603F3BFE5DFA3304F5848AEC6E79B287C7385546C759

Function 0042B849 Relevance: 2.6, Strings: 2, Instructions: 121COMMON

Download Yara Rule

Strings

B+}y, xrefs: 0042BA8E
&@>e, xrefs: 0042BA70

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID: &@>e$B+}y
API String ID: 0-471208924
Opcode ID: c5cc1b538811d58a24c289b6118f7874cd610fca7c9b1cdf3832994dcdf9c6dc
Instruction ID: f2c012f10c1ff69c4d645849ef88f5f9241ba43516dc8a8caa99d8a5e4b60302
Opcode Fuzzy Hash: c5cc1b538811d58a24c289b6118f7874cd610fca7c9b1cdf3832994dcdf9c6dc
Instruction Fuzzy Hash: 8231F2A0205B928AD7258F3580603F3FFE1DF63304F5848AEC6E797282C7795546CBA9

Function 0040B448 Relevance: 2.5, Strings: 2, Instructions: 31COMMON

Download Yara Rule

Strings

9^, xrefs: 0040B45C
r, xrefs: 0040B4A1

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID: 9^$r
API String ID: 0-2362331873
Opcode ID: 6dbd0c06decca1a505d53060249e74fd5decfa23552a4f6ed8d14e3c4ce27d24
Instruction ID: 01aa5ef0bcfb1f0a9ea02c259f9875b4025f4f32f392bc8294da3f1b353cc275
Opcode Fuzzy Hash: 6dbd0c06decca1a505d53060249e74fd5decfa23552a4f6ed8d14e3c4ce27d24
Instruction Fuzzy Hash: 5801AD7190A3A88BDB258F508D923DABA32EF53314F2491DDC18D7B241D7394A89CF0A

Function 0042A9F0 Relevance: 1.7, Strings: 1, Instructions: 402COMMON

Download Yara Rule

Strings

", xrefs: 0042ACF6

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 3570edca938d7efaca747e7bbc1fe085a1e38c302b5735abdddfd3acfa65061a
Instruction ID: 6490a4badec12502b76c3412e80c5cc4226111b8a606689ddfbf1acd7b2a3f04
Opcode Fuzzy Hash: 3570edca938d7efaca747e7bbc1fe085a1e38c302b5735abdddfd3acfa65061a
Instruction Fuzzy Hash: 4AC10472B083205BD714CE25E48076BB7EA9B84314F99892FEC9587382E738DC55C797

Function 0043EFD0 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

EFG@, xrefs: 0043F000

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID: InitializeThunk
String ID: EFG@
API String ID: 2994545307-813506099
Opcode ID: 8d7962405d4067a1e482ee89068f691d1112d6f50b3e8a51e6b633e08720940c
Instruction ID: 1e60e6898cfe7b9e0abb44346e486e292e123297e9d8f8b196e4b522b06374a2
Opcode Fuzzy Hash: 8d7962405d4067a1e482ee89068f691d1112d6f50b3e8a51e6b633e08720940c
Instruction Fuzzy Hash: 5481E236A083119BC728CF18D89062BB3E2FF99314F19947DE985973A1DB36DC05CB86

Function 0043ED00 Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

EFG@, xrefs: 0043ED30

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID: InitializeThunk
String ID: EFG@
API String ID: 2994545307-813506099
Opcode ID: 41c113129b9b414464f902f3b350f19367639c17bed92d5fc520530e787c5d84
Instruction ID: 67abacc6dbf917b8fedd8633a44b0b5e27e6b19049a64fc3c7458262d0a16f43
Opcode Fuzzy Hash: 41c113129b9b414464f902f3b350f19367639c17bed92d5fc520530e787c5d84
Instruction Fuzzy Hash: E381B0756093019FC714DF19C890A6BB7E2FF99300F15992DE5858B3A1EB35EC01CB8A

Function 0042AE80 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042B07E

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: d7610484c4d5eb6a3893fe5d48ad66d6bf757981ae5bb6d70f6e88c182e660ec
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 1771F732B083354BD714CE28D58032FB7E2EBC5750F9AC92EE89897391D7399C55878A

Function 0041BCA4 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

@TB}, xrefs: 0041BCAE

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID: @TB}
API String ID: 0-1025384779
Opcode ID: 2af7f6fa32ba17f247ba88f4e13da0a67bc7a943a697415243faa6796850088b
Instruction ID: cb01901ab94cc62da67a268c7bccc1fdf064498f3bd53741c673a17ee543007c
Opcode Fuzzy Hash: 2af7f6fa32ba17f247ba88f4e13da0a67bc7a943a697415243faa6796850088b
Instruction Fuzzy Hash: 364125309083E18AD3158F2994A03B7FFE19FA7305F28585EE4C557392C7B9894587D6

Function 0042B625 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

NREH, xrefs: 0042B691

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID: NREH
API String ID: 0-3233708078
Opcode ID: 6cf57d42ddd7e24c1025c93854e36c3a9c7d21d017cd92a5d5473f0db72224b4
Instruction ID: d9a485c7b55d9f600a1b5a09e37eeb586acac98cc1655572794f11af4a08aef9
Opcode Fuzzy Hash: 6cf57d42ddd7e24c1025c93854e36c3a9c7d21d017cd92a5d5473f0db72224b4
Instruction Fuzzy Hash: 0231F9B46057518BE3328B35D491BB3BBE2EFD3304F54884DD2D60B346D37625158799

Function 0043E930 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

@, xrefs: 0043E998

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 736e3267f2677fab266ddb0c7f6e3a18028d0f7d9891780e0a804c4b02e9ade5
Instruction ID: 2e5b086bd18dd23e43da813a4ef61bfe490ca586e980f210129e2b452d405168
Opcode Fuzzy Hash: 736e3267f2677fab266ddb0c7f6e3a18028d0f7d9891780e0a804c4b02e9ade5
Instruction Fuzzy Hash: F531F2722083048BC314DF19D89166FBBE5FFC9314F15982DEA9987390D739D908CB96

Function 0040CC4E Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

j, xrefs: 0040CC7B

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID: j
API String ID: 0-700888311
Opcode ID: fe4284ebeefc084a3779056ee679bca1d40dc296300e25fcea25daa51884d92d
Instruction ID: 7cb92174ec60dc0582bd504beeb85d0a032007eaa8547e4e18e7e38ba5c9f383
Opcode Fuzzy Hash: fe4284ebeefc084a3779056ee679bca1d40dc296300e25fcea25daa51884d92d
Instruction Fuzzy Hash: 4521E2B2B0C3419BE718CF25D89176BB7A3BBC6301F18C92EE18653395CA7498058B4A

Function 00408500 Relevance: .9, Instructions: 853COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be3cfc5c613f65f6909022ffb9496c7a4d837c7311a3da510579a017a9477ca4
Instruction ID: 9393d97e6676800a73ec03599eb5929843693b7f071d2ac9167628cf59f00ae8
Opcode Fuzzy Hash: be3cfc5c613f65f6909022ffb9496c7a4d837c7311a3da510579a017a9477ca4
Instruction Fuzzy Hash: F652B2316086158BC724DF28D9802ABB3E2FFD4314F29893ED9D5A73C1DB38A955CB46

Function 00405BD0 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 661cc01f866815b08fed3f8e5d8fa5059091b37acb608e0a1a96a7184fad70a1
Instruction ID: 3185cd9acc765febf5f34fe578bb1c75cb8aad97fc8202d53e9a5837457eda4e
Opcode Fuzzy Hash: 661cc01f866815b08fed3f8e5d8fa5059091b37acb608e0a1a96a7184fad70a1
Instruction Fuzzy Hash: 5FF19C752087418FD724CF29C88176BBBE2EFD9304F08882EE5D587792E639E944CB56

Function 00409290 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1917ce255a52a59bf16909ccda6965b6c818547928aa002572e68e30cff3922
Instruction ID: 712e329531a2eabbb1866798d328edff42fa20e1fa6dbd156bbe9f19a28fca1a
Opcode Fuzzy Hash: b1917ce255a52a59bf16909ccda6965b6c818547928aa002572e68e30cff3922
Instruction Fuzzy Hash: 72D13A7160C2514BC319CE29C4E026AB7E2EFC5324F188A6EE0E6573E7D7385D46CB45

Function 0041D3A0 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ffd5714feffee172f0f0664a231165ec2fad4aa4367c4509b7658a4d1148890
Instruction ID: b36617e956d9c883024133f873456605a2bb5d3e11400a19471eb0d7aad59bb8
Opcode Fuzzy Hash: 9ffd5714feffee172f0f0664a231165ec2fad4aa4367c4509b7658a4d1148890
Instruction Fuzzy Hash: 42914972E042619FCB158E28C85139F7BE2ABD1324F19823EE8B9973C1D6389C46D7C1

Function 0043EA60 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 614ba21b2eaa59d649857e01dcd74313dde7157dcd040d4ee94561ebe07e303f
Instruction ID: 4513d1bff66e5480e5c3ae4ac0fcf11a6c6281a9e01a788a0cf254591a6b3836
Opcode Fuzzy Hash: 614ba21b2eaa59d649857e01dcd74313dde7157dcd040d4ee94561ebe07e303f
Instruction Fuzzy Hash: EB7101726093019BC715DB19C85072FB3E2FFD9310F19A82DE585873A0DB75E801C78A

Function 00402140 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ccaf44e000dcd60d3d16f4188c1deb48d49199deb5670199837ec1816fb856a
Instruction ID: 5ce36ef01112cf0089f0f6079ce7a889851dffe9db0ebb6c06d146f5d754375b
Opcode Fuzzy Hash: 8ccaf44e000dcd60d3d16f4188c1deb48d49199deb5670199837ec1816fb856a
Instruction Fuzzy Hash: C9713A615483858BD7248EB8998836BBBD19B52314F18857FD8C5EB3C2D2FCC986C35A

Function 0041BE34 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e6e90178601047d7b1cd3e0eef38c2ffb473e7250bb8dbd04315c7c9980a7fd
Instruction ID: c8d300e842520f8ff56d758ae63c7bd1ef4da756e63730f8688e19cb04c45461
Opcode Fuzzy Hash: 5e6e90178601047d7b1cd3e0eef38c2ffb473e7250bb8dbd04315c7c9980a7fd
Instruction Fuzzy Hash: 325113719083418BC714CF24C8A17A7BBF1EF9A314F18591EE4C69B392E379D841CB9A

Function 00425BB7 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb46122e4bf24e24c68cf01caaa8462d012745184aa1fde70d9927f27cc6055
Instruction ID: cc132501df663a117903b97f00b3d95bbe4947ad4d30f2384a195324f81e2bee
Opcode Fuzzy Hash: ceb46122e4bf24e24c68cf01caaa8462d012745184aa1fde70d9927f27cc6055
Instruction Fuzzy Hash: 17515B72B493708FD720DA6498C026BBB91DF56310F9F866AD9804B3D2D37D8C09D3A9

Function 00416CDA Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072a347d5bdba98894575642844b05ea4fa4f6afe633ee9cd49b761fe0c19577
Instruction ID: afcf008a74b6230aed6478ac6fa32d48e122fff791a1c68ee0334feeb71f6131
Opcode Fuzzy Hash: 072a347d5bdba98894575642844b05ea4fa4f6afe633ee9cd49b761fe0c19577
Instruction Fuzzy Hash: 234101742007018BD7248F39D8916B3B7F2FF86324B198A59D4968F392E738D881CBA5

Function 00428E12 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1eb6e8f9cebf9310569608b05d90eb23a8839b822df6ede1f2545900b47a734
Instruction ID: cca8166cd74db750e22b625f98e4c64ffe2cff581b2aed3b4ae929739f7437a3
Opcode Fuzzy Hash: d1eb6e8f9cebf9310569608b05d90eb23a8839b822df6ede1f2545900b47a734
Instruction Fuzzy Hash: 5B41D679A01104DFDB04CF98EC81AAE73B2FB8A304F150079E611A73A2DB319C01CF59

Function 00429760 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acfcbf158a1925d27deda4524304750282788554bc30bc8d2ccc3e4e6495a77e
Instruction ID: 444bf73d51897e83c91566954d1fcba4c2526831b2dd324cecf461441dc9f825
Opcode Fuzzy Hash: acfcbf158a1925d27deda4524304750282788554bc30bc8d2ccc3e4e6495a77e
Instruction Fuzzy Hash: D051EDB4208304ABE310DF25E840B5FBBE4EBC6708F04092DF1A59B292D774D90ACB97

Function 0043CD6A Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20b56e163bee541d416a99d1d8645afa1a694bf7a8a425e42182a00e119476c
Instruction ID: 70b67d4e77b2b492ef18e0cb29546501d2d5ea2cb49a478dde5409ca142ce3e4
Opcode Fuzzy Hash: e20b56e163bee541d416a99d1d8645afa1a694bf7a8a425e42182a00e119476c
Instruction Fuzzy Hash: F5410932E586314BCB18CE3888E556BBBD1AB8E214F0AC23E9D99AB391C675DD0547C4

Function 00418442 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b36d67086af109dab653c781ab532b3dfadd672c278f34b791295c29b7faa680
Instruction ID: 9dc76cc7c297ab5bc0de09241d2effdbf6d3771927ed8a047c51fc59045df501
Opcode Fuzzy Hash: b36d67086af109dab653c781ab532b3dfadd672c278f34b791295c29b7faa680
Instruction Fuzzy Hash: 164116B1641601CBC728CF19C8916A3F7B2FF59310B19869DD4968F392EB38E885CBD4

Function 00418322 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 344256b17765af855b5ef4dd93593c2296d134b29d5ca609b118cf154b16a1a6
Instruction ID: 5466dd2caed8e1815c73123deb0820baf707a7a685e287330f97e613d6f08fda
Opcode Fuzzy Hash: 344256b17765af855b5ef4dd93593c2296d134b29d5ca609b118cf154b16a1a6
Instruction Fuzzy Hash: DF21A3B55007018BC7104F24C8917B7F3B0FF56720B189659DC669B392EB39E881D799

Function 00428B30 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a738af5812802af73c49a8bb98e8405b933513c21a12eeedaf2a69df3dcdd625
Instruction ID: c804ca26005879f9eb8be0b76ef6f38610062a6f4aff6f9e59ee0e9b35b2c84c
Opcode Fuzzy Hash: a738af5812802af73c49a8bb98e8405b933513c21a12eeedaf2a69df3dcdd625
Instruction Fuzzy Hash: 57217FB4E00219CFDB14CFA8D8916AEB7B2FF56300F1941BDD509A7395E738AA40CB55

Function 0043AB6E Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a8966e704ee92025a7ff266bada3f7653cfd03d27fef9618005710c33ae7135
Instruction ID: ed651a717edb8226e5a962e51636a0489310b3281a365c3b413d6d6aeb36fda2
Opcode Fuzzy Hash: 2a8966e704ee92025a7ff266bada3f7653cfd03d27fef9618005710c33ae7135
Instruction Fuzzy Hash: 3621B2B58143009FD704DF20FC4265BBBE2E7A670AF08943DE444D736AE739C6158B4A

Function 00433F40 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: aeabf4696829133b471a5067be8414b4616382dabbfdf69d68878e36ba8704d6
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 2D114C33F091D50EC3168D3C8400565BFB30A9763AF9D539AF4B49B2D6D62B8E8B8359

Function 0042A470 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4b116c5e692799a27a7bd49b120a45795fc24317c5a5220f4ceb72e2f4b67b6
Instruction ID: 2007bb4107c16e19410598fc3bbe7cb411feb965aa32561729dff3bc4119cdef
Opcode Fuzzy Hash: d4b116c5e692799a27a7bd49b120a45795fc24317c5a5220f4ceb72e2f4b67b6
Instruction Fuzzy Hash: 2A019EB1B0031157E620AE21A8C4727B2A86F81718F88443EEC0497343DBBEFC24C2DA

Function 0042B8FE Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2102332cf9eb3befd8ec2945a2b32137b9f125ab0323b5cef0f061d2b69f029d
Instruction ID: 47dddcf0ed5d0179eb7b1d49fed8757945f6895ba813e54f78ee49682f6e8d6c
Opcode Fuzzy Hash: 2102332cf9eb3befd8ec2945a2b32137b9f125ab0323b5cef0f061d2b69f029d
Instruction Fuzzy Hash: FA015AD05597804FD7224B3096AA7B3AFE88B93214F096CAEC7C7F7253C9389456832D

Function 0042E957 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd9dbb6b119f4ad154f4aff896e8200b74774d06edd459621b9750ab1d2aaa6f
Instruction ID: 7c19b077b698cb365f52fa5b6f22f0c7a4528f34b9195dbe97ae8f7db9673315
Opcode Fuzzy Hash: bd9dbb6b119f4ad154f4aff896e8200b74774d06edd459621b9750ab1d2aaa6f
Instruction Fuzzy Hash: 96F030B45493818FD316DF24C454B967FF0AF86300F41855FE49ADB252C774A548CB51

Function 00429FD4 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5357fc1e58cc223ea9e479b1e4253c3cd9e78e83b0e1b648ae004575ad954de1
Instruction ID: f58d6ee5f812000abee69ea10e788a05641d401ba651b71e4a3f78527d652e87
Opcode Fuzzy Hash: 5357fc1e58cc223ea9e479b1e4253c3cd9e78e83b0e1b648ae004575ad954de1
Instruction Fuzzy Hash: D2A002A9C49004DBE9006F217802175F17C721731DF8530B5940A33153E5BAD518C58F

Function 00430FD1 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 186memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0043105B

Strings

$, xrefs: 004310E3
), xrefs: 00431103
1, xrefs: 00431077
&, xrefs: 0043110B
:, xrefs: 00431123
%, xrefs: 004310F3
5, xrefs: 00431087
?, xrefs: 0043106F
7, xrefs: 0043108F
0, xrefs: 00431215
(, xrefs: 004310EB
!, xrefs: 00431113
3, xrefs: 0043107F

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID: AllocString
String ID: !$$$%$&$($)$0$1$3$5$7$:$?
API String ID: 2525500382-3530167312
Opcode ID: dc9c914ad8659289ecb2e5997378fb659b332ad092e2210a131c71f8a3479a64
Instruction ID: 33ac502b166921095cde2d3e580a857e452c4b5d648918f7558fe24d16cf8493
Opcode Fuzzy Hash: dc9c914ad8659289ecb2e5997378fb659b332ad092e2210a131c71f8a3479a64
Instruction Fuzzy Hash: F2914761108BC18ADB268F3C88882467F916B67224F1D87DDD8F64F7EBC2A5C506C766

Function 004315A7 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00431634

Strings

?, xrefs: 0043164B
!, xrefs: 004316EF
0, xrefs: 004317EE
7, xrefs: 0043166B
(, xrefs: 004316C7
&, xrefs: 004316E7
1, xrefs: 00431653
5, xrefs: 00431663
$, xrefs: 004316BF
), xrefs: 004316DF
%, xrefs: 004316CF
3, xrefs: 0043165B
:, xrefs: 004316FF

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID: AllocString
String ID: !$$$%$&$($)$0$1$3$5$7$:$?
API String ID: 2525500382-3530167312
Opcode ID: 6c6a8080d4f1fc07ea73d0a63a91f290a68c634d8fd51fde6636079dd1384e7c
Instruction ID: 49bed7bd96ca5af192586f41a2c41e0ece2bcc55bf72177a6003ddd12163127b
Opcode Fuzzy Hash: 6c6a8080d4f1fc07ea73d0a63a91f290a68c634d8fd51fde6636079dd1384e7c
Instruction Fuzzy Hash: 96916820108BC18ADB268F3C88C86467F916B67224F5D87DDD8E64F3EBC6A5C506C766

Function 0042381A Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 187COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 004239A6

Strings

?=, xrefs: 0042386F
CX, xrefs: 004238C3
HN, xrefs: 004238BC
*W, xrefs: 004238B5
rB, xrefs: 0042355D

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID: DrivesLogical
String ID: *W$CX$HN$rB$?=
API String ID: 999431828-1235944698
Opcode ID: 3dbda5d1ba1d134e893318a01595d34f3568eec65b48a9a9a1e464c05740cb32
Instruction ID: 8e0fa411e1a60378add3495c4cc4efebb8dbebcde85eb3a3be83c63504923fa1
Opcode Fuzzy Hash: 3dbda5d1ba1d134e893318a01595d34f3568eec65b48a9a9a1e464c05740cb32
Instruction Fuzzy Hash: 637100B5901214CFCB18CF18D890AAA7BB1FF49324B5A81DDE4566F3A2E778C941CF84

Function 0043181D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00431823
VariantInit.OLEAUT32 ref: 00431832

Strings

9^_4, xrefs: 004318C8

Memory Dump Source

Source File: 00000008.00000002.2135004710.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_nRIsFYood8.jbxd

Similarity

API ID: Variant$ClearInit
String ID: 9^_4
API String ID: 2610073882-3604143779
Opcode ID: 46d42aa7439412826bb5ed8febab675c42a06a273b7bb98d6bd72fa13304f1f2
Instruction ID: 3a5f527242fbedd96a6d9633313fc6b555e5808162b471dc463d671028be4964
Opcode Fuzzy Hash: 46d42aa7439412826bb5ed8febab675c42a06a273b7bb98d6bd72fa13304f1f2
Instruction Fuzzy Hash: DB413874508B828ED316DB39C888756FFA17BA6324F08879DD0E54B393C674D185D792

Analysis Process: svhost.exePID: 5964, Parent PID: 4004COMMON

Executed Functions

Function 00007FFD347604D8 Relevance: 1.8, Strings: 1, Instructions: 504COMMON

Download Yara Rule

Strings

?P_^, xrefs: 00007FFD34760501

Memory Dump Source

Source File: 00000009.00000002.2229052280.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34760000_svhost.jbxd

Similarity

API ID:
String ID: ?P_^
API String ID: 0-1413489715
Opcode ID: 64252e5b42dc7bb39148d38fbfb3b83756ca5b8e581f43b4b7c5c35a724b18bd
Instruction ID: 0c739c144b960586037080e60c45fbf5201237dfd984859966d7814a90467097
Opcode Fuzzy Hash: 64252e5b42dc7bb39148d38fbfb3b83756ca5b8e581f43b4b7c5c35a724b18bd
Instruction Fuzzy Hash: AD3161A2A4D2D69FE722E7B854F61FE3FA49F03328F0844B7D148DA093DE2C255592D1

Function 00007FFD34760510 Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2229052280.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34760000_svhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d00c28b9c7c7a7ea3eac6469d109d484103e53b8f4376704ed0e01060ce9ed4f
Instruction ID: 761a10a2b2f65c81db8c1c5ee2a4006cf535bd85506f272a81ed2a904af6044e
Opcode Fuzzy Hash: d00c28b9c7c7a7ea3eac6469d109d484103e53b8f4376704ed0e01060ce9ed4f
Instruction Fuzzy Hash: 8301B562A4E3D69FE312E77858B60EA7FE4DF03324F0900F7D148CA193EA1C241997A1

Function 00007FFD34760B85 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2229052280.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34760000_svhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c4e515edd306df6e54d233df69d398dbbf7ff41e435014dd65eb7ed8eac12f
Instruction ID: 721c2051d1cc95042df6c42a0e7e90fb5188548da8beaa1eec032fdf26bad9f6
Opcode Fuzzy Hash: 43c4e515edd306df6e54d233df69d398dbbf7ff41e435014dd65eb7ed8eac12f
Instruction Fuzzy Hash: 9711D371A056498FDB49DFA8D8A06FE7BB1FF45320F04052AD00AE32D1DF786944C761

Function 00007FFD34760889 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2229052280.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34760000_svhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f486cea80f53a3cde067373f882e92d536fc3c3366bdbc3f75274d8fb33471fb
Instruction ID: 306d8b1798c278b0f2d2cb395c78ee44bf3685ebeca3d3b5100f404269398cfb
Opcode Fuzzy Hash: f486cea80f53a3cde067373f882e92d536fc3c3366bdbc3f75274d8fb33471fb
Instruction Fuzzy Hash: 5FF04BB1D5928ADAEB50FB6481A92FD7AA1AF03314F5058B5E608A2083DB7C3654E6C0

Function 00007FFD34760498 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2229052280.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffd34760000_svhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0a1b0928950f113d8af1683049007f30e84fde3c92b2a192e8b613635f0b631
Instruction ID: 838a54d7c9d73a7951dbe4ffaacff715539caca4ff5042b9bf8ece1a33774222
Opcode Fuzzy Hash: f0a1b0928950f113d8af1683049007f30e84fde3c92b2a192e8b613635f0b631
Instruction Fuzzy Hash: 6CD09E6394E6D25AD622A2A864F24EA3F949E0323870900F3C5C48E097990860568245

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report h3VYJaQqI9.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.log

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe

C:\Users\user\AppData\Roaming\nRIsFYood8.exe

C:\Users\user\AppData\Roaming\p1NyAJLgZS.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
h3VYJaQqI9.exe

Function 00C048A4 Relevance: 3.1, APIs: 2, Instructions: 97
COMMON

Function 00C092D2 Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Function 00C076A8 Relevance: 1.5, APIs: 1, Instructions: 37
memoryCOMMON

Function 00BDA050 Relevance: 12.8, Strings: 10, Instructions: 315
COMMON

Function 00BF2480 Relevance: 6.6, Strings: 5, Instructions: 314
COMMON

Function 00BF1FB0 Relevance: 5.3, Strings: 4, Instructions: 314
COMMON

Function 00C00440 Relevance: 5.3, Strings: 4, Instructions: 295
COMMON

Function 00BE01DF Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 248
COMMON

Function 00C01C20 Relevance: 4.0, Strings: 3, Instructions: 289
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre