Edit tour

Windows Analysis Report
cache_registerer.exe

Overview

General Information

Sample name:	cache_registerer.exe
Analysis ID:	1587420
MD5:	2ead33be79ca5b23b35275b5dad8b744
SHA1:	d034c2953898fcb77eb3abe604fd0a4cead7b204
SHA256:	c5650ae5f6de8cbfb6e1abc6261d1e3b00836a85e32d1547d089c94fd823c97b
Tags:	exeuser-zhuzhu0009
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

cache_registerer.exe (PID: 7336 cmdline: "C:\Users\user\Desktop\cache_registerer.exe" MD5: 2EAD33BE79CA5B23B35275B5DAD8B744)

conhost.exe (PID: 7344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cache_registerer.exe (PID: 7424 cmdline: "C:\Users\user\Desktop\cache_registerer.exe" MD5: 2EAD33BE79CA5B23B35275B5DAD8B744)

cache_registerer.exe (PID: 7432 cmdline: "C:\Users\user\Desktop\cache_registerer.exe" MD5: 2EAD33BE79CA5B23B35275B5DAD8B744)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["dare-curbys.biz", "print-vexer.biz", "impend-differ.biz", "dwell-exclaim.biz", "atten-supporse.biz", "se-blurry.biz", "covery-mover.biz", "formy-spill.biz", "zinc-sneark.biz"], "Build id": "yau6Na--1328504917"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.1716866885.0000000002419000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.cache_registerer.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
3.2.cache_registerer.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:11:02.063855+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	104.102.49.254	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (atten-supporse .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:11:01.288335+0100	2057921	1	Domain Observed Used for C2 Detected	192.168.2.4	64132	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:11:01.344502+0100	2058675	1	Domain Observed Used for C2 Detected	192.168.2.4	52396	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:11:01.357569+0100	2058677	1	Domain Observed Used for C2 Detected	192.168.2.4	63113	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:11:01.322954+0100	2058681	1	Domain Observed Used for C2 Detected	192.168.2.4	54203	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:11:01.334207+0100	2058679	1	Domain Observed Used for C2 Detected	192.168.2.4	60023	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:11:01.379021+0100	2058671	1	Domain Observed Used for C2 Detected	192.168.2.4	51534	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:11:01.368703+0100	2058673	1	Domain Observed Used for C2 Detected	192.168.2.4	55569	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:11:01.301530+0100	2058685	1	Domain Observed Used for C2 Detected	192.168.2.4	50558	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:11:01.312548+0100	2058683	1	Domain Observed Used for C2 Detected	192.168.2.4	51450	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:11:03.540059+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.4	49730	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.1716866885.0000000002419000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["dare-curbys.biz", "print-vexer.biz", "impend-differ.biz", "dwell-exclaim.biz", "atten-supporse.biz", "se-blurry.biz", "covery-mover.biz", "formy-spill.biz", "zinc-sneark.biz"], "Build id": "yau6Na--1328504917"}

Multi AV Scanner detection for submitted file

Source: cache_registerer.exe	Virustotal: Detection: 47%			Perma Link
Source: cache_registerer.exe	ReversingLabs: Detection: 68%

Machine Learning detection for sample

Source: cache_registerer.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: impend-differ.biz
Source: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: print-vexer.biz
Source: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: dare-curbys.biz
Source: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: covery-mover.biz
Source: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: formy-spill.biz
Source: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: dwell-exclaim.biz
Source: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: zinc-sneark.biz
Source: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: se-blurry.biz
Source: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: atten-supporse.biz
Source: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: yau6Na--1328504917

Source: C:\Users\user\Desktop\cache_registerer.exe

Code function: 2_2_004E13F0 CoResumeClassObjects,CryptContextAddRef,GetLastError,

2_2_004E13F0

Source: cache_registerer.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: cache_registerer.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 2_2_004ED871 FindFirstFileExW,		2_2_004ED871
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 2_2_004ED922 FindFirstFileExW,FindNextFileW,FindClose,FindClose,		2_2_004ED922

Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx ecx, byte ptr [ebx+eax-5953E8FEh]	3_2_0040A2F9
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+25611392h]	3_2_0040BAA1
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	3_2_0042A000
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-59C227A5h]	3_2_004260A0
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then cmp al, 2Eh	3_2_004260A0
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov byte ptr [ebx], cl	3_2_004260A0
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00421940
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov ebp, dword ptr [ecx+esi*4-000009BCh]	3_2_00408900
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then push E65107ACh	3_2_0040A111
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov ecx, eax	3_2_0041B120
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0041B120
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov ebx, eax	3_2_00405930
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov ebp, eax	3_2_00405930
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0042C188
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h	3_2_004147B9
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0042C147
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_00429A40
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-7Dh]	3_2_0040AA70
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edx+10h]	3_2_0040AA70
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov edx, dword ptr [ecx+esi+3Ch]	3_2_00439270
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0040EA79
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0040EA79
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx ebx, byte ptr [edx+eax-26F0FA91h]	3_2_0040EA79
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx ebx, di	3_2_0042B232
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov ebx, edx	3_2_0042B232
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov byte ptr [esi], dl	3_2_0042B232
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+00000098h]	3_2_0042B232
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0042B232
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+77h]	3_2_00415A3C
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx ebx, di	3_2_0042B2FE
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov ebx, edx	3_2_0042B2FE
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov byte ptr [esi], dl	3_2_0042B2FE
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+00000098h]	3_2_0042B2FE
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0042B2FE
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+76h]	3_2_00423A81
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov edx, ecx	3_2_0042C2A3
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx ebx, di	3_2_0042B2BD
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov ebx, edx	3_2_0042B2BD
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov byte ptr [esi], dl	3_2_0042B2BD
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+00000098h]	3_2_0042B2BD
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0042B2BD
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov byte ptr [edx], al	3_2_0041B37D
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_00433C50
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-05F3F59Dh]	3_2_0043D460
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov ecx, ebx	3_2_00437470
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx esi, byte ptr [edx]	3_2_0042CC79
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-74h]	3_2_00414C87
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h	3_2_00414C87
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	3_2_00407490
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	3_2_00407490
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00421CA0
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+18h]	3_2_00418CB0
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then push edi	3_2_00419553
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax]	3_2_0043D560
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 1E7AC822h	3_2_00422579
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h	3_2_00414500
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+03C24A4Dh]	3_2_00422D20
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], A269EEEFh	3_2_00436DC0
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 6A2D3EA3h	3_2_0042265F
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx eax, byte ptr [edi+edx]	3_2_0041DE60
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+0000040Ch]	3_2_0042AE6D
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov byte ptr [edx], al	3_2_0041B61C
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-000000B3h]	3_2_0041B61C
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+0000040Ch]	3_2_0042AEC8
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov edx, ecx	3_2_00424ED0
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx edi, byte ptr [esi+ecx-20E57F70h]	3_2_0040D6E8
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B430E561h	3_2_0040D6E8
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0040E6A4
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0040E6A4
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx ebx, byte ptr [edx+eax-26F0FA91h]	3_2_0040E6A4
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h	3_2_00414EA6
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov edx, ecx	3_2_0041977F
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov word ptr [ecx], dx	3_2_0041977F
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h	3_2_00427710
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx ebx, di	3_2_0042AF23
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov ebx, edx	3_2_0042AF23
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov byte ptr [esi], dl	3_2_0042AF23
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+00000098h]	3_2_0042AF23
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0042AF23
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edi+000002A0h]	3_2_004187C8
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h	3_2_004147D6
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then mov word ptr [edi], cx	3_2_004287DE
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 67F3D776h	3_2_00436FF0
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then cmp dword ptr [edx+ebp*8], 22FD5D1Bh	3_2_00436FF0
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 9CAC4597h	3_2_0040DF90
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B430E561h	3_2_0040DF90
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+2ED22924h]	3_2_00439790
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 4x nop then cmp dword ptr [edx+ebx*8], A67D73AAh	3_2_00439790

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2057949 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz) : 192.168.2.4:51450 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057935 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz) : 192.168.2.4:51534 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057981 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz) : 192.168.2.4:51450 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057943 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz) : 192.168.2.4:55569 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057969 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz) : 192.168.2.4:51534 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058671 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz) : 192.168.2.4:51534 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057971 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz) : 192.168.2.4:55569 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058673 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz) : 192.168.2.4:55569 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058683 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz) : 192.168.2.4:51450 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057927 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz) : 192.168.2.4:63113 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057975 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz) : 192.168.2.4:63113 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058677 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz) : 192.168.2.4:63113 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057931 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz) : 192.168.2.4:60023 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057977 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz) : 192.168.2.4:60023 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058679 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz) : 192.168.2.4:60023 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057921 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (atten-supporse .biz) : 192.168.2.4:64132 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057945 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz) : 192.168.2.4:50558 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057983 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz) : 192.168.2.4:50558 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058685 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz) : 192.168.2.4:50558 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057929 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz) : 192.168.2.4:54203 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057979 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz) : 192.168.2.4:54203 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057925 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz) : 192.168.2.4:52396 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057973 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz) : 192.168.2.4:52396 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058675 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz) : 192.168.2.4:52396 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058681 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz) : 192.168.2.4:54203 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49730 -> 104.102.49.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: dare-curbys.biz
Source: Malware configuration extractor	URLs: print-vexer.biz
Source: Malware configuration extractor	URLs: impend-differ.biz
Source: Malware configuration extractor	URLs: dwell-exclaim.biz
Source: Malware configuration extractor	URLs: atten-supporse.biz
Source: Malware configuration extractor	URLs: se-blurry.biz
Source: Malware configuration extractor	URLs: covery-mover.biz
Source: Malware configuration extractor	URLs: formy-spill.biz
Source: Malware configuration extractor	URLs: zinc-sneark.biz

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.102.49.254:443

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: cache_registerer.exe, 00000003.00000003.1740382962.000000000111A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=83829215e377cd6d9013837e; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveFri, 10 Jan 2025 10:11:03 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-ControlZ equals www.youtube.com (Youtube)
Source: cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: atten-supporse.biz
Source: global traffic	DNS traffic detected: DNS query: se-blurry.biz
Source: global traffic	DNS traffic detected: DNS query: zinc-sneark.biz
Source: global traffic	DNS traffic detected: DNS query: dwell-exclaim.biz
Source: global traffic	DNS traffic detected: DNS query: formy-spill.biz
Source: global traffic	DNS traffic detected: DNS query: covery-mover.biz
Source: global traffic	DNS traffic detected: DNS query: dare-curbys.biz
Source: global traffic	DNS traffic detected: DNS query: print-vexer.biz
Source: global traffic	DNS traffic detected: DNS query: impend-differ.biz
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.0000000001097000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.0000000001097000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.0000000001097000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: cache_registerer.exe, 00000003.00000002.1741188172.000000000108C000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=SCXpgixTDzt4&a
Source: cache_registerer.exe, 00000003.00000002.1741427120.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: cache_registerer.exe, 00000003.00000002.1741427120.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli
Source: cache_registerer.exe, 00000003.00000002.1741427120.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.0000000001097000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.0000000001097000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.0000000001097000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A
Source: cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.0000000001097000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=aep8
Source: cache_registerer.exe, 00000003.00000002.1741427120.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: cache_registerer.exe, 00000003.00000002.1741427120.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: cache_registerer.exe, 00000003.00000002.1741427120.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: cache_registerer.exe, 00000003.00000002.1741427120.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: cache_registerer.exe, 00000003.00000002.1741427120.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: cache_registerer.exe, 00000003.00000002.1741427120.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: cache_registerer.exe, 00000003.00000002.1741427120.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
Source: cache_registerer.exe, 00000003.00000002.1741427120.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: cache_registerer.exe, 00000003.00000002.1741427120.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: cache_registerer.exe, 00000003.00000002.1741427120.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.0000000001097000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: cache_registerer.exe, 00000003.00000003.1740382962.00000000010B3000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000002.1741316877.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740663400.00000000010B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/Tp
Source: cache_registerer.exe, 00000003.00000002.1741427120.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.000000000111A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/aa
Source: cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.0000000001097000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: cache_registerer.exe, 00000003.00000002.1741188172.000000000108C000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.00000000010B3000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000002.1741316877.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740663400.00000000010B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: cache_registerer.exe, 00000003.00000003.1740663400.00000000010E2000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000002.1741427120.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: cache_registerer.exe, 00000003.00000003.1740663400.00000000010E2000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.0000000001097000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop
Source: cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.0000000001097000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: C:\Users\user\Desktop\cache_registerer.exe

Code function: 3_2_00431950 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_00431950

Source: C:\Users\user\Desktop\cache_registerer.exe

Code function: 3_2_00431950 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_00431950

Source: C:\Users\user\Desktop\cache_registerer.exe

Code function: 3_2_00431B20 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

3_2_00431B20

Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 0_2_004E17D0	0_2_004E17D0
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 0_2_004E1000	0_2_004E1000
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 0_2_004F1A10	0_2_004F1A10
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 0_2_004E5C52	0_2_004E5C52
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 0_2_004E3C05	0_2_004E3C05
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 0_2_004F0422	0_2_004F0422
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 0_2_004F566E	0_2_004F566E
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 2_2_004E1000	2_2_004E1000
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 2_2_004F1A10	2_2_004F1A10
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 2_2_004E5C52	2_2_004E5C52
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 2_2_004E3C05	2_2_004E3C05
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 2_2_004F0422	2_2_004F0422
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 2_2_004F566E	2_2_004F566E
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 2_2_004E17D0	2_2_004E17D0
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00409C5E	3_2_00409C5E
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_004086E0	3_2_004086E0
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0043AF7B	3_2_0043AF7B
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0040AF90	3_2_0040AF90
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00421050	3_2_00421050
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0043D820	3_2_0043D820
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_004270D6	3_2_004270D6
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00426080	3_2_00426080
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_004260A0	3_2_004260A0
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_004278B4	3_2_004278B4
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00403940	3_2_00403940
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00412160	3_2_00412160
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00436160	3_2_00436160
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00408900	3_2_00408900
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00423900	3_2_00423900
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00434913	3_2_00434913
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0041D920	3_2_0041D920
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00405930	3_2_00405930
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0040F130	3_2_0040F130
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_004199F0	3_2_004199F0
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_004147B9	3_2_004147B9
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0041D240	3_2_0041D240
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0043C240	3_2_0043C240
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00436240	3_2_00436240
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00416A5D	3_2_00416A5D
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0040AA70	3_2_0040AA70
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00439270	3_2_00439270
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0040EA79	3_2_0040EA79
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00425200	3_2_00425200
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0044521D	3_2_0044521D
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00406220	3_2_00406220
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0042B232	3_2_0042B232
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0041CA30	3_2_0041CA30
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00415A3C	3_2_00415A3C
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0041C2ED	3_2_0041C2ED
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_004042F0	3_2_004042F0
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00439AF0	3_2_00439AF0
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0042B2FE	3_2_0042B2FE
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00423A81	3_2_00423A81
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00435A90	3_2_00435A90
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0042C2A3	3_2_0042C2A3
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0042B2BD	3_2_0042B2BD
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0043C340	3_2_0043C340
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0043DB20	3_2_0043DB20
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0042832C	3_2_0042832C
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00434BC8	3_2_00434BC8
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00428BF0	3_2_00428BF0
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_004353FD	3_2_004353FD
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00417388	3_2_00417388
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0040CB9D	3_2_0040CB9D
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00436450	3_2_00436450
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0042CC79	3_2_0042CC79
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00404C30	3_2_00404C30
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0042AC3C	3_2_0042AC3C
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00425CC0	3_2_00425CC0
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0043C4D0	3_2_0043C4D0
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00435CF0	3_2_00435CF0
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00414C87	3_2_00414C87
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00407490	3_2_00407490
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00421CA0	3_2_00421CA0
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00418CB0	3_2_00418CB0
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00427CB0	3_2_00427CB0
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0043C560	3_2_0043C560
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0043D560	3_2_0043D560
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0041D510	3_2_0041D510
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00422D20	3_2_00422D20
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00426DA6	3_2_00426DA6
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0042265F	3_2_0042265F
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0041DE60	3_2_0041DE60
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00423660	3_2_00423660
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0042AE6D	3_2_0042AE6D
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0042FE70	3_2_0042FE70
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00415E79	3_2_00415E79
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00411E02	3_2_00411E02
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0043C620	3_2_0043C620
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0042AEC8	3_2_0042AEC8
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00424ED0	3_2_00424ED0
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0041AE80	3_2_0041AE80
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0040E6A4	3_2_0040E6A4
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_004116A6	3_2_004116A6
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_004066B0	3_2_004066B0
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_004176B5	3_2_004176B5
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0041EF50	3_2_0041EF50
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00437779	3_2_00437779
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0042A700	3_2_0042A700
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0042AF23	3_2_0042AF23
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00402F30	3_2_00402F30
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00420730	3_2_00420730
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0043DF30	3_2_0043DF30
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_004187C8	3_2_004187C8
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_004147D6	3_2_004147D6
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00436FF0	3_2_00436FF0
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0042AFF9	3_2_0042AFF9
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00431780	3_2_00431780
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00439790	3_2_00439790
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00415797	3_2_00415797

Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: String function: 004E3BC0 appears 68 times
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: String function: 004E9DFF appears 36 times
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: String function: 00407FD0 appears 50 times
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: String function: 004144F0 appears 55 times

Source: cache_registerer.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: cache_registerer.exe	Static PE information: Section: .bss ZLIB complexity 1.0003407005613125
Source: cache_registerer.exe	Static PE information: Section: .bss ZLIB complexity 1.0003407005613125

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/0@10/1

Source: C:\Users\user\Desktop\cache_registerer.exe

Code function: 3_2_00430150 CoCreateInstance,

3_2_00430150

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03

Source: cache_registerer.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\cache_registerer.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: cache_registerer.exe	Virustotal: Detection: 47%
Source: cache_registerer.exe	ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\cache_registerer.exe

File read: C:\Users\user\Desktop\cache_registerer.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\cache_registerer.exe "C:\Users\user\Desktop\cache_registerer.exe"
Source: C:\Users\user\Desktop\cache_registerer.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\cache_registerer.exe	Process created: C:\Users\user\Desktop\cache_registerer.exe "C:\Users\user\Desktop\cache_registerer.exe"
Source: C:\Users\user\Desktop\cache_registerer.exe	Process created: C:\Users\user\Desktop\cache_registerer.exe "C:\Users\user\Desktop\cache_registerer.exe"
Source: C:\Users\user\Desktop\cache_registerer.exe	Process created: C:\Users\user\Desktop\cache_registerer.exe "C:\Users\user\Desktop\cache_registerer.exe"	Jump to behavior
Source: C:\Users\user\Desktop\cache_registerer.exe	Process created: C:\Users\user\Desktop\cache_registerer.exe "C:\Users\user\Desktop\cache_registerer.exe"	Jump to behavior

Source: C:\Users\user\Desktop\cache_registerer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cache_registerer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\cache_registerer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cache_registerer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cache_registerer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\cache_registerer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\cache_registerer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\cache_registerer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cache_registerer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cache_registerer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\cache_registerer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cache_registerer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cache_registerer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\cache_registerer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\cache_registerer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\cache_registerer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\cache_registerer.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\cache_registerer.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\cache_registerer.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\cache_registerer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\cache_registerer.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cache_registerer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\cache_registerer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cache_registerer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\cache_registerer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\cache_registerer.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cache_registerer.exe	Section loaded: dpapi.dll	Jump to behavior

Source: cache_registerer.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE

Source: cache_registerer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: cache_registerer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: cache_registerer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: cache_registerer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: cache_registerer.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 0_2_004E306E push ecx; ret	0_2_004E3081
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 2_2_004E306E push ecx; ret	2_2_004E3081
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00442A64 push eax; iretd	3_2_00442A66
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_0043C210 push eax; mov dword ptr [esp], 86858453h	3_2_0043C211
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00442A17 push eax; iretd	3_2_00442A1E
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00443A26 push edi; retf	3_2_00443A28
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00442AAD push eax; iretd	3_2_00442AAE
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00442AA9 push eax; iretd	3_2_00442AAA
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_004463FA push ebp; ret	3_2_00446403
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00442C13 push eax; iretd	3_2_00442C3A
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_00442CE8 push eax; iretd	3_2_00442CEA
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 3_2_004396D0 push eax; mov dword ptr [esp], E8E9EAEBh	3_2_004396DE

Source: C:\Users\user\Desktop\cache_registerer.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-11546

Source: C:\Users\user\Desktop\cache_registerer.exe TID: 7448

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 2_2_004ED871 FindFirstFileExW,		2_2_004ED871
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 2_2_004ED922 FindFirstFileExW,FindNextFileW,FindClose,FindClose,		2_2_004ED922

Source: cache_registerer.exe, 00000003.00000003.1740663400.00000000010E2000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000002.1741188172.000000000108C000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\cache_registerer.exe

Code function: 3_2_0043AC30 LdrInitializeThunk,

3_2_0043AC30

Source: C:\Users\user\Desktop\cache_registerer.exe

Code function: 0_2_004E8077 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_004E8077

Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 0_2_004FE1A9 mov edi, dword ptr fs:[00000030h]	0_2_004FE1A9
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 0_2_004E17D0 mov edi, dword ptr fs:[00000030h]	0_2_004E17D0
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 2_2_004E17D0 mov edi, dword ptr fs:[00000030h]	2_2_004E17D0

Source: C:\Users\user\Desktop\cache_registerer.exe

Code function: 0_2_004E9E16 GetProcessHeap,

0_2_004E9E16

Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 0_2_004E8077 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004E8077
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 0_2_004E39E5 SetUnhandledExceptionFilter,	0_2_004E39E5
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 0_2_004E39F1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004E39F1
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 0_2_004E2F82 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004E2F82
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 2_2_004E8077 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_004E8077
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 2_2_004E39E5 SetUnhandledExceptionFilter,	2_2_004E39E5
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 2_2_004E39F1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_004E39F1
Source: C:\Users\user\Desktop\cache_registerer.exe	Code function: 2_2_004E2F82 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_004E2F82

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\cache_registerer.exe

Code function: 0_2_004FE1A9 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_004FE1A9

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\cache_registerer.exe

Memory written: C:\Users\user\Desktop\cache_registerer.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\cache_registerer.exe	Process created: C:\Users\user\Desktop\cache_registerer.exe "C:\Users\user\Desktop\cache_registerer.exe"			Jump to behavior
Source: C:\Users\user\Desktop\cache_registerer.exe	Process created: C:\Users\user\Desktop\cache_registerer.exe "C:\Users\user\Desktop\cache_registerer.exe"			Jump to behavior

Source: C:\Users\user\Desktop\cache_registerer.exe

Code function: 0_2_004E38D1 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_004E38D1

Source: C:\Users\user\Desktop\cache_registerer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 3.2.cache_registerer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cache_registerer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1716866885.0000000002419000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 3.2.cache_registerer.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cache_registerer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1716866885.0000000002419000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	211 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	3 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
cache_registerer.exe	47%	Virustotal		Browse
cache_registerer.exe	68%	ReversingLabs	Win32.Trojan.LummaStealer
cache_registerer.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	high
atten-supporse.biz	unknown	unknown	false	high
dare-curbys.biz	unknown	unknown	false	high
impend-differ.biz	unknown	unknown	false	high
se-blurry.biz	unknown	unknown	false	high
zinc-sneark.biz	unknown	unknown	false	high
print-vexer.biz	unknown	unknown	false	high
dwell-exclaim.biz	unknown	unknown	false	high
covery-mover.biz	unknown	unknown	false	high
formy-spill.biz	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
dare-curbys.biz	false	high
impend-differ.biz	false	high
dwell-exclaim.biz	false	high
zinc-sneark.biz	false	high
formy-spill.biz	false	high
se-blurry.biz	false	high
https://steamcommunity.com/profiles/76561199724331900	false	high
covery-mover.biz	false	high
atten-supporse.biz	false	high
print-vexer.biz	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://steamcommunity.com/my/wishlist/	cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://player.vimeo.com	cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/aa	cache_registerer.exe, 00000003.00000002.1741427120.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.000000000111A000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	cache_registerer.exe, 00000003.00000002.1741427120.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/Tp	cache_registerer.exe, 00000003.00000003.1740382962.00000000010B3000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000002.1741316877.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740663400.00000000010B5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/?subsection=broadcasts	cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://help.steampowered.com/en/	cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/market/	cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/news/	cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/subscriber_agreement/	cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.gstatic.cn/recaptcha/	cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/subscriber_agreement/	cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.0000000001097000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.0000000001097000.00000004.00000020.00020000.00000000.sdmp	false	high
https://recaptcha.net/recaptcha/;	cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en	cache_registerer.exe, 00000003.00000002.1741427120.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=aep8	cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.0000000001097000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.valvesoftware.com/legal.htm	cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/discussions/	cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.youtube.com	cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com	cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/stats/	cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	cache_registerer.exe, 00000003.00000002.1741427120.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://medal.tv	cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	false	high
https://broadcast.st.dl.eccdnx.com	cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	cache_registerer.exe, 00000003.00000002.1741427120.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/steam_refunds/	cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.0000000001097000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.0000000001097000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	cache_registerer.exe, 00000003.00000002.1741427120.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	cache_registerer.exe, 00000003.00000002.1741427120.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://s.ytimg.com;	cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/workshop/	cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://login.steampowered.com/	cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb	cache_registerer.exe, 00000003.00000003.1740663400.00000000010E2000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	cache_registerer.exe, 00000003.00000002.1741427120.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.0000000001097000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	cache_registerer.exe, 00000003.00000002.1741427120.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/legal/	cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.0000000001097000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/	cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli	cache_registerer.exe, 00000003.00000002.1741427120.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steam.tv/	cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	cache_registerer.exe, 00000003.00000002.1741427120.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	cache_registerer.exe, 00000003.00000002.1741427120.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/privacy_agreement/	cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.0000000001097000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/points/shop/	cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://recaptcha.net	cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/	cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com	cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.0000000001097000.00000004.00000020.00020000.00000000.sdmp	false	high
https://sketchfab.com	cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	false	high
https://lv.queniujq.cn	cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.youtube.com/	cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	false	high
http://127.0.0.1:27060	cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/privacy_agreement/	cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A	cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.0000000001097000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ	cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	cache_registerer.exe, 00000003.00000002.1741427120.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com/recaptcha/	cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	false	high
https://checkout.steampowered.com/	cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://help.steampowered.com/	cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.steampowered.com/	cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/points/shop	cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp	false	high
http://store.steampowered.com/account/cookiepreferences/	cache_registerer.exe, 00000003.00000003.1740346406.0000000001129000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.0000000001097000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/mobile	cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://steamcommunity.com/	cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/;	cache_registerer.exe, 00000003.00000003.1740663400.00000000010E2000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000002.1741427120.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000002.1741316877.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	false	high
https://store.steampowered.com/about/	cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l	cache_registerer.exe, 00000003.00000002.1741427120.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740382962.000000000111A000.00000004.00000020.00020000.00000000.sdmp, cache_registerer.exe, 00000003.00000003.1740346406.000000000112E000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587420
Start date and time:	2025-01-10 11:10:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	cache_registerer.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/0@10/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 95% Number of executed functions: 23 Number of non-executed functions: 124
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Execution Graph export aborted for target cache_registerer.exe, PID 7424 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:11:00	API Interceptor	2x Sleep call for process: cache_registerer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	/ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	Invoice.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	NvOxePa.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	h3VYJaQqI9.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	P2V7Mr3DUF.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	v3tb7mqP48.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	asd.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	[UPD]Intel_Unit.2.1.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	socolo.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Installer.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.102.49.254
	Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	armv5l.elf	Get hash	malicious	Unknown	Browse	23.209.153.127
	http://postman.com/	Get hash	malicious	Unknown	Browse	104.102.43.106
	https://sanctionssearch.ofac.treas.gov	Get hash	malicious	Unknown	Browse	23.49.251.37
	Fantazy.ppc.elf	Get hash	malicious	Unknown	Browse	104.81.98.224
	Fantazy.x86.elf	Get hash	malicious	Unknown	Browse	184.28.181.149
	6.elf	Get hash	malicious	Unknown	Browse	2.16.79.96
	Invoice.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Fantazy.i486.elf	Get hash	malicious	Unknown	Browse	104.73.204.147
	sora.arm.elf	Get hash	malicious	Unknown	Browse	96.26.27.34
	Benefit_401k_2025_Enrollment.pdf	Get hash	malicious	Unknown	Browse	96.17.64.171

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	CY SEC AUDIT PLAN 2025.docx.doc	Get hash	malicious	Unknown	Browse	104.102.49.254
	PO#3_RKG367.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.102.49.254
	Invoice.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	24EPV9vjc5.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	kXzODlqJak.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	24EPV9vjc5.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	kXzODlqJak.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	cLm7ThwEvh.msi	Get hash	malicious	Unknown	Browse	104.102.49.254
	digitalisierungskonzept_muster.js	Get hash	malicious	Unknown	Browse	104.102.49.254

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.886520974794865
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	cache_registerer.exe
File size:	723'456 bytes
MD5:	2ead33be79ca5b23b35275b5dad8b744
SHA1:	d034c2953898fcb77eb3abe604fd0a4cead7b204
SHA256:	c5650ae5f6de8cbfb6e1abc6261d1e3b00836a85e32d1547d089c94fd823c97b
SHA512:	54c4e5def3e4b3c910e0a450145a3433e0b88758b2b8495cb6ffc849d338dedc7d2114e1a8c036a7b7ff1d9988750da26c72f98c4b7ee7eb5df29b0a0c3cef51
SSDEEP:	12288:gyNudyx57oPAa0Tjsj/ukchmmwd+PmjMIda0Tjsj/ukchmmwd+PmjMIT:g+3x5s4a0TAj23wdmmda0TAj23wdmmT
TLSH:	B3F4121275D5C0B3C9F218725524EBB0AE6CFE700F595CEFA3881A3A9D246D2663137E
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....$Xg.................N..........,6............@..........................P............@.................................l...d..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40362c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE
Time Stamp:	0x675824C0 [Tue Dec 10 11:23:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	a112abbe863b41e52c9623cb55e95229

Entrypoint Preview

Instruction
call 00007FA8708132BAh
jmp 00007FA870812ED9h
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007FA87081306Fh
neg eax
pop ecx
sbb eax, eax
neg eax
dec eax
pop ebp
ret
push ebp
mov ebp, esp
cmp dword ptr [0041F530h], FFFFFFFFh
push dword ptr [ebp+08h]
jne 00007FA870813069h
call 00007FA87081745Ch
jmp 00007FA87081306Dh
push 0041F530h
call 00007FA8708173DFh
pop ecx
pop ecx
xor ecx, ecx
test eax, eax
cmove ecx, dword ptr [ebp+08h]
mov eax, ecx
pop ebp
ret
push 00000008h
push 0041D8A0h
call 00007FA8708135A0h
and dword ptr [ebp-04h], 00000000h
mov eax, 00005A4Dh
cmp word ptr [00400000h], ax
jne 00007FA8708130BFh
mov eax, dword ptr [0040003Ch]
cmp dword ptr [eax+00400000h], 00004550h
jne 00007FA8708130AEh
mov ecx, 0000010Bh
cmp word ptr [eax+00400018h], cx
jne 00007FA8708130A0h
mov eax, dword ptr [ebp+08h]
mov ecx, 00400000h
sub eax, ecx
push eax
push ecx
call 00007FA8708131E2h
pop ecx
pop ecx
test eax, eax
je 00007FA870813089h
cmp dword ptr [eax+24h], 00000000h
jl 00007FA870813083h
mov dword ptr [ebp-04h], FFFFFFFEh
mov al, 01h
jmp 00007FA870813081h
mov eax, dword ptr [ebp-14h]
mov eax, dword ptr [eax]
xor ecx, ecx
cmp dword ptr [eax], C0000005h
sete cl
mov eax, ecx
ret
mov esp, dword ptr [ebp-18h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1ca6c	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x20000	0x10	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x21000	0x1380	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x16838	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1cc34	0x164	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x14d41	0x14e00	5531be595b35575e0afb4c9b8a2517c7	False	0.5989193488023952	data	6.633260618530554	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x16000	0x7e3c	0x8000	07b759087fc0a6707531636d30caf413	False	0.455291748046875	data	5.058320373644095	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1e000	0x1c4c	0x1200	c841ce448b1fa3b2ecc767edba92885a	False	0.4305555555555556	data	4.609408766277521	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x20000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x21000	0x1380	0x1400	2b862e6657b5db5bbe873e748776845a	False	0.7927734375	data	6.506578767679422	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x23000	0x48600	0x48600	114bd6a84fb3a95a88ec26be78e8130f	False	1.0003407005613125	data	7.99936560630976	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x6c000	0x48600	0x48600	114bd6a84fb3a95a88ec26be78e8130f	False	1.0003407005613125	data	7.99936560630976	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
ole32.dll	CoResumeClassObjects
ADVAPI32.dll	CryptContextAddRef
KERNEL32.dll	AcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, CreateThread, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WaitForSingleObjectEx, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile
USER32.dll	DefWindowProcW, GetMessageW, PostQuitMessage, RegisterClassW

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T11:11:01.288335+0100	2057921	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (atten-supporse .biz)	1	192.168.2.4	64132	1.1.1.1	53	UDP
2025-01-10T11:11:01.301530+0100	2057945	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz)	1	192.168.2.4	50558	1.1.1.1	53	UDP
2025-01-10T11:11:01.301530+0100	2057983	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz)	1	192.168.2.4	50558	1.1.1.1	53	UDP
2025-01-10T11:11:01.301530+0100	2058685	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (se-blurry .biz)	1	192.168.2.4	50558	1.1.1.1	53	UDP
2025-01-10T11:11:01.312548+0100	2057949	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz)	1	192.168.2.4	51450	1.1.1.1	53	UDP
2025-01-10T11:11:01.312548+0100	2057981	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz)	1	192.168.2.4	51450	1.1.1.1	53	UDP
2025-01-10T11:11:01.312548+0100	2058683	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zinc-sneark .biz)	1	192.168.2.4	51450	1.1.1.1	53	UDP
2025-01-10T11:11:01.322954+0100	2057929	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz)	1	192.168.2.4	54203	1.1.1.1	53	UDP
2025-01-10T11:11:01.322954+0100	2057979	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz)	1	192.168.2.4	54203	1.1.1.1	53	UDP
2025-01-10T11:11:01.322954+0100	2058681	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dwell-exclaim .biz)	1	192.168.2.4	54203	1.1.1.1	53	UDP
2025-01-10T11:11:01.334207+0100	2057931	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz)	1	192.168.2.4	60023	1.1.1.1	53	UDP
2025-01-10T11:11:01.334207+0100	2057977	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz)	1	192.168.2.4	60023	1.1.1.1	53	UDP
2025-01-10T11:11:01.334207+0100	2058679	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (formy-spill .biz)	1	192.168.2.4	60023	1.1.1.1	53	UDP
2025-01-10T11:11:01.344502+0100	2057925	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz)	1	192.168.2.4	52396	1.1.1.1	53	UDP
2025-01-10T11:11:01.344502+0100	2057973	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz)	1	192.168.2.4	52396	1.1.1.1	53	UDP
2025-01-10T11:11:01.344502+0100	2058675	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (covery-mover .biz)	1	192.168.2.4	52396	1.1.1.1	53	UDP
2025-01-10T11:11:01.357569+0100	2057927	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz)	1	192.168.2.4	63113	1.1.1.1	53	UDP
2025-01-10T11:11:01.357569+0100	2057975	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz)	1	192.168.2.4	63113	1.1.1.1	53	UDP
2025-01-10T11:11:01.357569+0100	2058677	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dare-curbys .biz)	1	192.168.2.4	63113	1.1.1.1	53	UDP
2025-01-10T11:11:01.368703+0100	2057943	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz)	1	192.168.2.4	55569	1.1.1.1	53	UDP
2025-01-10T11:11:01.368703+0100	2057971	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz)	1	192.168.2.4	55569	1.1.1.1	53	UDP
2025-01-10T11:11:01.368703+0100	2058673	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (print-vexer .biz)	1	192.168.2.4	55569	1.1.1.1	53	UDP
2025-01-10T11:11:01.379021+0100	2057935	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz)	1	192.168.2.4	51534	1.1.1.1	53	UDP
2025-01-10T11:11:01.379021+0100	2057969	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz)	1	192.168.2.4	51534	1.1.1.1	53	UDP
2025-01-10T11:11:01.379021+0100	2058671	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impend-differ .biz)	1	192.168.2.4	51534	1.1.1.1	53	UDP
2025-01-10T11:11:02.063855+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	104.102.49.254	443	TCP
2025-01-10T11:11:03.540059+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.4	49730	104.102.49.254	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 11:11:01.401458979 CET	49730	443	192.168.2.4	104.102.49.254
Jan 10, 2025 11:11:01.401510954 CET	443	49730	104.102.49.254	192.168.2.4
Jan 10, 2025 11:11:01.401602983 CET	49730	443	192.168.2.4	104.102.49.254
Jan 10, 2025 11:11:01.404443979 CET	49730	443	192.168.2.4	104.102.49.254
Jan 10, 2025 11:11:01.404464006 CET	443	49730	104.102.49.254	192.168.2.4
Jan 10, 2025 11:11:02.063524008 CET	443	49730	104.102.49.254	192.168.2.4
Jan 10, 2025 11:11:02.063854933 CET	49730	443	192.168.2.4	104.102.49.254
Jan 10, 2025 11:11:02.068737984 CET	49730	443	192.168.2.4	104.102.49.254
Jan 10, 2025 11:11:02.068754911 CET	443	49730	104.102.49.254	192.168.2.4
Jan 10, 2025 11:11:02.069212914 CET	443	49730	104.102.49.254	192.168.2.4
Jan 10, 2025 11:11:02.111666918 CET	49730	443	192.168.2.4	104.102.49.254
Jan 10, 2025 11:11:02.125386000 CET	49730	443	192.168.2.4	104.102.49.254
Jan 10, 2025 11:11:02.167342901 CET	443	49730	104.102.49.254	192.168.2.4
Jan 10, 2025 11:11:03.540112019 CET	443	49730	104.102.49.254	192.168.2.4
Jan 10, 2025 11:11:03.540138006 CET	443	49730	104.102.49.254	192.168.2.4
Jan 10, 2025 11:11:03.540170908 CET	443	49730	104.102.49.254	192.168.2.4
Jan 10, 2025 11:11:03.540175915 CET	49730	443	192.168.2.4	104.102.49.254
Jan 10, 2025 11:11:03.540184021 CET	443	49730	104.102.49.254	192.168.2.4
Jan 10, 2025 11:11:03.540205002 CET	443	49730	104.102.49.254	192.168.2.4
Jan 10, 2025 11:11:03.540215969 CET	49730	443	192.168.2.4	104.102.49.254
Jan 10, 2025 11:11:03.540216923 CET	443	49730	104.102.49.254	192.168.2.4
Jan 10, 2025 11:11:03.540231943 CET	49730	443	192.168.2.4	104.102.49.254
Jan 10, 2025 11:11:03.540244102 CET	49730	443	192.168.2.4	104.102.49.254
Jan 10, 2025 11:11:03.540257931 CET	49730	443	192.168.2.4	104.102.49.254
Jan 10, 2025 11:11:03.624509096 CET	443	49730	104.102.49.254	192.168.2.4
Jan 10, 2025 11:11:03.624557018 CET	443	49730	104.102.49.254	192.168.2.4
Jan 10, 2025 11:11:03.624588013 CET	443	49730	104.102.49.254	192.168.2.4
Jan 10, 2025 11:11:03.624592066 CET	49730	443	192.168.2.4	104.102.49.254
Jan 10, 2025 11:11:03.624646902 CET	49730	443	192.168.2.4	104.102.49.254
Jan 10, 2025 11:11:03.626931906 CET	49730	443	192.168.2.4	104.102.49.254
Jan 10, 2025 11:11:03.626949072 CET	443	49730	104.102.49.254	192.168.2.4
Jan 10, 2025 11:11:03.626960993 CET	49730	443	192.168.2.4	104.102.49.254
Jan 10, 2025 11:11:03.626966000 CET	443	49730	104.102.49.254	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 11:11:01.288335085 CET	64132	53	192.168.2.4	1.1.1.1
Jan 10, 2025 11:11:01.297842026 CET	53	64132	1.1.1.1	192.168.2.4
Jan 10, 2025 11:11:01.301529884 CET	50558	53	192.168.2.4	1.1.1.1
Jan 10, 2025 11:11:01.310714960 CET	53	50558	1.1.1.1	192.168.2.4
Jan 10, 2025 11:11:01.312547922 CET	51450	53	192.168.2.4	1.1.1.1
Jan 10, 2025 11:11:01.321518898 CET	53	51450	1.1.1.1	192.168.2.4
Jan 10, 2025 11:11:01.322953939 CET	54203	53	192.168.2.4	1.1.1.1
Jan 10, 2025 11:11:01.332824945 CET	53	54203	1.1.1.1	192.168.2.4
Jan 10, 2025 11:11:01.334207058 CET	60023	53	192.168.2.4	1.1.1.1
Jan 10, 2025 11:11:01.343355894 CET	53	60023	1.1.1.1	192.168.2.4
Jan 10, 2025 11:11:01.344501972 CET	52396	53	192.168.2.4	1.1.1.1
Jan 10, 2025 11:11:01.353730917 CET	53	52396	1.1.1.1	192.168.2.4
Jan 10, 2025 11:11:01.357568979 CET	63113	53	192.168.2.4	1.1.1.1
Jan 10, 2025 11:11:01.365905046 CET	53	63113	1.1.1.1	192.168.2.4
Jan 10, 2025 11:11:01.368702888 CET	55569	53	192.168.2.4	1.1.1.1
Jan 10, 2025 11:11:01.377532005 CET	53	55569	1.1.1.1	192.168.2.4
Jan 10, 2025 11:11:01.379020929 CET	51534	53	192.168.2.4	1.1.1.1
Jan 10, 2025 11:11:01.388813019 CET	53	51534	1.1.1.1	192.168.2.4
Jan 10, 2025 11:11:01.389987946 CET	50043	53	192.168.2.4	1.1.1.1
Jan 10, 2025 11:11:01.396688938 CET	53	50043	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 11:11:01.288335085 CET	192.168.2.4	1.1.1.1	0x6d25	Standard query (0)	atten-supporse.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:11:01.301529884 CET	192.168.2.4	1.1.1.1	0xb409	Standard query (0)	se-blurry.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:11:01.312547922 CET	192.168.2.4	1.1.1.1	0x7160	Standard query (0)	zinc-sneark.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:11:01.322953939 CET	192.168.2.4	1.1.1.1	0x10e6	Standard query (0)	dwell-exclaim.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:11:01.334207058 CET	192.168.2.4	1.1.1.1	0xa4cf	Standard query (0)	formy-spill.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:11:01.344501972 CET	192.168.2.4	1.1.1.1	0x39c1	Standard query (0)	covery-mover.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:11:01.357568979 CET	192.168.2.4	1.1.1.1	0x3cf9	Standard query (0)	dare-curbys.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:11:01.368702888 CET	192.168.2.4	1.1.1.1	0xae24	Standard query (0)	print-vexer.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:11:01.379020929 CET	192.168.2.4	1.1.1.1	0x1cdb	Standard query (0)	impend-differ.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:11:01.389987946 CET	192.168.2.4	1.1.1.1	0xe42	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 11:11:01.297842026 CET	1.1.1.1	192.168.2.4	0x6d25	Name error (3)	atten-supporse.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:11:01.310714960 CET	1.1.1.1	192.168.2.4	0xb409	Name error (3)	se-blurry.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:11:01.321518898 CET	1.1.1.1	192.168.2.4	0x7160	Name error (3)	zinc-sneark.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:11:01.332824945 CET	1.1.1.1	192.168.2.4	0x10e6	Name error (3)	dwell-exclaim.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:11:01.343355894 CET	1.1.1.1	192.168.2.4	0xa4cf	Name error (3)	formy-spill.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:11:01.353730917 CET	1.1.1.1	192.168.2.4	0x39c1	Name error (3)	covery-mover.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:11:01.365905046 CET	1.1.1.1	192.168.2.4	0x3cf9	Name error (3)	dare-curbys.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:11:01.377532005 CET	1.1.1.1	192.168.2.4	0xae24	Name error (3)	print-vexer.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:11:01.388813019 CET	1.1.1.1	192.168.2.4	0x1cdb	Name error (3)	impend-differ.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:11:01.396688938 CET	1.1.1.1	192.168.2.4	0xe42	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.102.49.254	443	7432	C:\Users\user\Desktop\cache_registerer.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:11:02 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2025-01-10 10:11:03 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Fri, 10 Jan 2025 10:11:03 GMT Content-Length: 25665 Connection: close Set-Cookie: sessionid=83829215e377cd6d9013837e; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2025-01-10 10:11:03 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2025-01-10 10:11:03 UTC	11186	IN	Data Raw: 3f 6c 3d 6b 6f 72 65 61 6e 61 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6b 6f 72 65 61 6e 61 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e ed 95 9c ea b5 ad ec 96 b4 20 28 4b 6f 72 65 61 6e 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ?l=koreana" onclick="ChangeLanguage( 'koreana' ); return false;"> (Korean)</a><a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a>

Target ID:	0
Start time:	05:10:56
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\cache_registerer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\cache_registerer.exe"
Imagebase:	0x4e0000
File size:	723'456 bytes
MD5 hash:	2EAD33BE79CA5B23B35275B5DAD8B744
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1716866885.0000000002419000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:10:56
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:11:00
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\cache_registerer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\cache_registerer.exe"
Imagebase:	0x4e0000
File size:	723'456 bytes
MD5 hash:	2EAD33BE79CA5B23B35275B5DAD8B744
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:11:00
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\cache_registerer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\cache_registerer.exe"
Imagebase:	0x4e0000
File size:	723'456 bytes
MD5 hash:	2EAD33BE79CA5B23B35275B5DAD8B744
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.4%
Total number of Nodes:	1393
Total number of Limit Nodes:	17

Executed Functions

Function 004FE1A9 Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,004FE11B,004FE10B), ref: 004FE33F
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 004FE352
Wow64GetThreadContext.KERNEL32(000001A4,00000000), ref: 004FE370
ReadProcessMemory.KERNELBASE(000001A8,?,004FE15F,00000004,00000000), ref: 004FE394
VirtualAllocEx.KERNELBASE(000001A8,?,?,00003000,00000040), ref: 004FE3BF
TerminateProcess.KERNELBASE(000001A8,00000000), ref: 004FE3DE
WriteProcessMemory.KERNELBASE(000001A8,00000000,?,?,00000000,?), ref: 004FE417
WriteProcessMemory.KERNELBASE(000001A8,00400000,?,?,00000000,?,00000028), ref: 004FE462
WriteProcessMemory.KERNELBASE(000001A8,?,?,00000004,00000000), ref: 004FE4A0
Wow64SetThreadContext.KERNEL32(000001A4,004C0000), ref: 004FE4DC
ResumeThread.KERNELBASE(000001A4), ref: 004FE4EB

Strings

GetP, xrefs: 004FE229
TerminateProcess, xrefs: 004FE3CE
ress, xrefs: 004FE231
aryA, xrefs: 004FE1ED
VirtualAllocEx, xrefs: 004FE2A7
SetThreadContext, xrefs: 004FE2CD
Load, xrefs: 004FE1E5
WriteProcessMemory, xrefs: 004FE2BA
GetThreadContext, xrefs: 004FE281
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 004FE33E
CreateProcessW, xrefs: 004FE25B
VirtualAlloc, xrefs: 004FE26E
ReadProcessMemory, xrefs: 004FE294
ResumeThread, xrefs: 004FE2E3

Memory Dump Source

Source File: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2440066154-3857624555
Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction ID: e963cb516c12bc0cd10ba3214c626ce046ea91d649a0bcfee9dbf7600346d8b7
Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction Fuzzy Hash: DFB1187260024AAFDB60CF69CC80BEA73A5FF88714F158165EA0CAB351D774FA41CB94

Function 004E17D0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 293
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004E1000: _strlen.LIBCMT ref: 004E108D

CreateFileA.KERNELBASE ref: 004E184C
GetFileSize.KERNEL32(00000000,00000000), ref: 004E185C
ReadFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 004E1885
CloseHandle.KERNELBASE(00000000), ref: 004E1895
_strlen.LIBCMT ref: 004E18F7
CloseHandle.KERNEL32(00000000), ref: 004E1B20
CloseHandle.KERNEL32(00000000), ref: 004E1B35

Strings

(, xrefs: 004E18D0

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: CloseFileHandle$_strlen$CreateReadSize
String ID: (
API String ID: 2150716653-3887548279
Opcode ID: c6825ebe0d36bf865c3cc6505edcf1fb1ac4ab4c6c0cbcfa2ed89ae3fea0b994
Instruction ID: ce394cc38b9e22c3950c84662fca1a6e48408651b17ca16b05e4ff261ee10224
Opcode Fuzzy Hash: c6825ebe0d36bf865c3cc6505edcf1fb1ac4ab4c6c0cbcfa2ed89ae3fea0b994
Instruction Fuzzy Hash: E3A12972D402548FCB10DFB9DD85AAEFBB6BF4A310F14162AE801A7361E7389941CB58

Function 004E1D30 Relevance: 18.2, APIs: 12, Instructions: 176
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 004E1D63
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004E1D76

Part of subcall function 004E234A: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004E2E92
Part of subcall function 004E234A: ___raise_securityfailure.LIBCMT ref: 004E2F7A

GetCurrentThreadId.KERNEL32 ref: 004E1DFA

Part of subcall function 004E2E15: WaitForSingleObjectEx.KERNEL32(004E17D0,000000FF,00000000,?,?,?,004E1E17,?,004E17D0,00000000), ref: 004E2E21
Part of subcall function 004E2E15: GetExitCodeThread.KERNEL32(004E17D0,00000000,?,?,004E1E17,?,004E17D0,00000000), ref: 004E2E3A
Part of subcall function 004E2E15: CloseHandle.KERNEL32(004E17D0,?,?,004E1E17,?,004E17D0,00000000), ref: 004E2E4C

Part of subcall function 004E6F9F: CreateThread.KERNELBASE(00000000,00000000,Function_000070B7,00000000,00000000,00000000), ref: 004E6FE8
Part of subcall function 004E6F9F: GetLastError.KERNEL32(?,?,?,?,004E1DD3,00000000,00000000), ref: 004E6FF4
Part of subcall function 004E6F9F: __dosmaperr.LIBCMT ref: 004E6FFB

GetCurrentThreadId.KERNEL32 ref: 004E1E95
std::_Throw_Cpp_error.LIBCPMT ref: 004E1EED
std::_Throw_Cpp_error.LIBCPMT ref: 004E1EFF
std::_Throw_Cpp_error.LIBCPMT ref: 004E1F0E
std::_Throw_Cpp_error.LIBCPMT ref: 004E1F1D
std::_Throw_Cpp_error.LIBCPMT ref: 004E1F2C
std::_Throw_Cpp_error.LIBCPMT ref: 004E1F3E
std::_Throw_Cpp_error.LIBCPMT ref: 004E1F50
std::_Throw_Cpp_error.LIBCPMT ref: 004E1F62

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$Thread$CurrentHandleModule$CloseCodeCreateErrorExitFeatureFileLastNameObjectPresentProcessorSingleWait___raise_securityfailure__dosmaperr
String ID:
API String ID: 610485761-0
Opcode ID: 8c7cc4c47a7f79e7cd6bd81148d5d372a0c3d610bf0d06e678a12313079f2852
Instruction ID: b20f996ec65aa9b0dade429103d1e6096bef79de02afadcdeaa339789c258213
Opcode Fuzzy Hash: 8c7cc4c47a7f79e7cd6bd81148d5d372a0c3d610bf0d06e678a12313079f2852
Instruction Fuzzy Hash: AB51D1B1D812499BEB10EFA6CD02BDFB6B4AF05715F040269E914373D0E7F96904CAA9

Function 004E9BBE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,6F282CA8,?,004E9CCD,?,?,00000000), ref: 004E9C7F

Strings

api-ms-, xrefs: 004E9C15
ext-ms-, xrefs: 004E9C29

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 7d36d20435da772b93ab9856b512b61643e36e1aedf97770ff7fd2ed79235f94
Instruction ID: b57c0fcb4fbb1178145c58b20c90dc1f3e423b263c6445021c01c9bda7270e53
Opcode Fuzzy Hash: 7d36d20435da772b93ab9856b512b61643e36e1aedf97770ff7fd2ed79235f94
Instruction Fuzzy Hash: C521E732A00298ABD721AB22DD84A7B37D9EF41766F340172E916A73D0D638FD11C6DC

Function 004E70B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(004FD900,0000000C), ref: 004E70CA
ExitThread.KERNEL32 ref: 004E70D1

Strings

f2N, xrefs: 004E7107

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: ErrorExitLastThread
String ID: f2N
API String ID: 1611280651-3473888870
Opcode ID: 02a54155eece2e3df80eedfc2814b410ab4ed659052674555a485a816384a1a4
Instruction ID: e5499e37a5df0167cfa0d112ea412135bdaacc9748f0f3c350b30184e27580a4
Opcode Fuzzy Hash: 02a54155eece2e3df80eedfc2814b410ab4ed659052674555a485a816384a1a4
Instruction Fuzzy Hash: 51F0A4719002889FDB11EBB2D94AA7E3B74EF00716F10409EF10557292CF786901CB99

Function 004E13F0 Relevance: 4.6, APIs: 3, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoResumeClassObjects.OLE32 ref: 004E150E
KiUserExceptionDispatcher.NTDLL(00000000,00000000,00000000), ref: 004E1521
GetLastError.KERNEL32 ref: 004E1583

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: ClassDispatcherErrorExceptionLastObjectsResumeUser
String ID:
API String ID: 3099690820-0
Opcode ID: e68ac0cd76c71162448d73feae69aeb2bd20be7329dbd26dd5dfa3707745dfbd
Instruction ID: 6fb79226ae56b7aef96ded89034f9f412758e8d320faf64dc3843e2740487f58
Opcode Fuzzy Hash: e68ac0cd76c71162448d73feae69aeb2bd20be7329dbd26dd5dfa3707745dfbd
Instruction Fuzzy Hash: FB5180708052988BDF11CFA9D445BEEBFB0BF0A315F1441AAD845B3381C3795A05CFA9

Function 004E1710 Relevance: 4.6, APIs: 3, Instructions: 60
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004E1000: _strlen.LIBCMT ref: 004E108D

FreeConsole.KERNELBASE ref: 004E1741

Part of subcall function 004E13F0: CoResumeClassObjects.OLE32 ref: 004E150E
Part of subcall function 004E13F0: KiUserExceptionDispatcher.NTDLL(00000000,00000000,00000000), ref: 004E1521

VirtualProtect.KERNELBASE(004FE01C,00000549,00000040,?), ref: 004E1790
ExitProcess.KERNEL32 ref: 004E17C6

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: ClassConsoleDispatcherExceptionExitFreeObjectsProcessProtectResumeUserVirtual_strlen
String ID:
API String ID: 3360678313-0
Opcode ID: 37e0462a87ac615a01fcede80e369ca1f482848640c9d2baf18cd87870cb570a
Instruction ID: c9775d3ef9fa125b41cd5f49edd8bd1f5bb0321b2802426cef8de4b2bfe16e01
Opcode Fuzzy Hash: 37e0462a87ac615a01fcede80e369ca1f482848640c9d2baf18cd87870cb570a
Instruction Fuzzy Hash: ED110A31A401587FEB00AF669C03FBF3765DB44706F54443AFA08A72D2DAB9AA10869D

Function 004E6F9F Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_000070B7,00000000,00000000,00000000), ref: 004E6FE8
GetLastError.KERNEL32(?,?,?,?,004E1DD3,00000000,00000000), ref: 004E6FF4
__dosmaperr.LIBCMT ref: 004E6FFB

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 3b74aff23386065b8c07dd5feb0bd4eb9287980d48e75b8039214d5985410ce9
Instruction ID: b362c99da66026b033fb486e4cf7a110629f6f46d02add6b5161226796827ebd
Opcode Fuzzy Hash: 3b74aff23386065b8c07dd5feb0bd4eb9287980d48e75b8039214d5985410ce9
Instruction Fuzzy Hash: 6801B532504189AFDF15AFA2DC05AAF3B65EF00376F00015AF80196250DB39CE50D798

Function 004E20C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004E20C5

Part of subcall function 004E2CA2: std::invalid_argument::invalid_argument.LIBCONCRT ref: 004E2CAE
Part of subcall function 004E2CA2: std::exception::exception.LIBCMT ref: 004E2CCB

Part of subcall function 004E2D17: GetCurrentThreadId.KERNEL32 ref: 004E2D42

Strings

string too long, xrefs: 004E20C0

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: CurrentThreadXinvalid_argumentstd::_std::exception::exceptionstd::invalid_argument::invalid_argument
String ID: string too long
API String ID: 2087764332-2556327735
Opcode ID: ea25064bc79fa01fab05690a53fff7dbad9bd56d3c3304f2fa1e1a1509b4381c
Instruction ID: a3c031ba00d276bf7840393761c7ef0a02e80acd41470f831ebd850bf2d13e01
Opcode Fuzzy Hash: ea25064bc79fa01fab05690a53fff7dbad9bd56d3c3304f2fa1e1a1509b4381c
Instruction Fuzzy Hash: 8B01FDB1D002489FCB00DFA6C842B9FBBB9FB04720F10823AE90563740D3B99A00CAE5

Function 004EF4C2 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004EF86C: GetConsoleOutputCP.KERNEL32(6F282CA8,00000000,00000000,?), ref: 004EF8CF

WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,?,?,?,004E56A2,?,004E5904), ref: 004EF647
GetLastError.KERNEL32(?,004E56A2,?,004E5904,?,004E5904,?,?,?,?,?,?,?,00000000,?,?), ref: 004EF651

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 6f1116e3b07d31e20e67a9850fd4de3f3b3aa258d8dd3d9b565cd7589b32fe85
Instruction ID: 4444cf87d6aad851908f1d6eb37854d74cb5da679fd5432e0e308d3f281cb231
Opcode Fuzzy Hash: 6f1116e3b07d31e20e67a9850fd4de3f3b3aa258d8dd3d9b565cd7589b32fe85
Instruction Fuzzy Hash: 5461D7B1800189BFDF11DFAAC844EBF7BB5AF19309F14016AE804A7252D339D91ACB59

Function 004E234A Relevance: 3.1, APIs: 2, Instructions: 94
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004E3F3E: RaiseException.KERNEL32(E06D7363,00000001,00000003,004E20CA,?,?,?,004E2CC1,004E20CA,004FD820,?,004E20CA,string too long,004E12D2), ref: 004E3F9F

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004E2E92
___raise_securityfailure.LIBCMT ref: 004E2F7A

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: ExceptionFeaturePresentProcessorRaise___raise_securityfailure
String ID:
API String ID: 3749517692-0
Opcode ID: b89b16f6a2f964e6c7ecf51b35a657b0b6ae4691646e616e946717ec89b37205
Instruction ID: a310077d5f56fb07b3ea866318ecfc1a60c8410fa19944a826af9c14708d528e
Opcode Fuzzy Hash: b89b16f6a2f964e6c7ecf51b35a657b0b6ae4691646e616e946717ec89b37205
Instruction Fuzzy Hash: 2C318DB8900309ABD700DF6AFD45A647BA8BF04305F21847AED14C73B1E7B59669CB8C

Function 004EFC9B Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,004EF62D,?,004E5904,?,?,?,00000000), ref: 004EFD37
GetLastError.KERNEL32(?,004EF62D,?,004E5904,?,?,?,00000000,?,?,?,?,?,004E56A2,?,004E5904), ref: 004EFD5D

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 57a16b802d438437c79cef63a02c34afa9964cb80ea9bf00e3a45f64b03a0de2
Instruction ID: 98962bf43f4c5cb01f50bfdaccaa6012dd9e4f3d960185c25d82c8493d511d95
Opcode Fuzzy Hash: 57a16b802d438437c79cef63a02c34afa9964cb80ea9bf00e3a45f64b03a0de2
Instruction Fuzzy Hash: 3121B431A002599FCB15CF2ADD809E9B7B9FF49306F2044BAE906D7311D6349E46CF68

Function 004EA59C Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,004EA48B,004FDC40,0000000C), ref: 004EA5E8
GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,00000000,004EA48B,004FDC40,0000000C), ref: 004EA5FA

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 0e4edb3d2904e8844c208b218a5c481db6aab763f229ddc79ee50567962981d4
Instruction ID: 11804fdf98923da27c0ca38cfddc7afcf529d079a3b70161064953d057cdca9c
Opcode Fuzzy Hash: 0e4edb3d2904e8844c208b218a5c481db6aab763f229ddc79ee50567962981d4
Instruction Fuzzy Hash: 2B11D57150478156C7304E3F8C886337A94A797376B39071BE0F6826F1C628E967C25B

Function 004E9C89 Relevance: 1.6, APIs: 1, Instructions: 56
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2351cf46ceb4bc4f6060a469b9d2cc2a4aa5e7e41572a3cd84e16ab6959eb5a
Instruction ID: 8bc2b38e25526ba49b5d3e4280bcc0bdf6649b36cffdb36e1b3694c2882b204c
Opcode Fuzzy Hash: b2351cf46ceb4bc4f6060a469b9d2cc2a4aa5e7e41572a3cd84e16ab6959eb5a
Instruction Fuzzy Hash: 6F01D233600265AFDB029E6BFC8496637E6BB817223244526FA15C72E8DA349C11D78D

Function 004EB8D6 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,004EAB77,?,?,004EAB77,00000220,?,00000000,?), ref: 004EB908

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 472b32a57f2d3c67883305e627bc6b6eee3d5a515dbb1f223f74ed7377af9ee5
Instruction ID: c23b5654662f043a65e10f018f53f38b2d83993f721d4c0168a21bf66557d14e
Opcode Fuzzy Hash: 472b32a57f2d3c67883305e627bc6b6eee3d5a515dbb1f223f74ed7377af9ee5
Instruction Fuzzy Hash: 66E0A0311012E566DA2036639C01B7B364CDB413A6F150127ED08963A2CB288D0095FD

Non-executed Functions

Function 004F0422 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1479COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 004F0639

Strings

1#INF, xrefs: 004F0558
1#IND, xrefs: 004F0527
1#SNAN, xrefs: 004F052E
1#QNAN, xrefs: 004F0535

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 2b29dbec509c62329c0a6548b658699fcee4e2232c08419823c4d83aba975ccf
Instruction ID: 6d6936cdeaa75eb0670d95a6e87c6f7c916b0cb560b357988b5aee90799bfd9e
Opcode Fuzzy Hash: 2b29dbec509c62329c0a6548b658699fcee4e2232c08419823c4d83aba975ccf
Instruction Fuzzy Hash: 26D22671E0822D8FDB64CE28CD40BEAB7B5EB84345F1441EAD50DE7241EB78AE858F45

Function 004F1A10 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7946e7d3bd8a4c71b1004167feaff1146a0b4289e9922db4fb30fff94b398ee0
Instruction ID: c395606fd1b3a71c2300a007e3a781ce5cf0bcb956fb9cbc4c5ea10631d6fa53
Opcode Fuzzy Hash: 7946e7d3bd8a4c71b1004167feaff1146a0b4289e9922db4fb30fff94b398ee0
Instruction Fuzzy Hash: 22023D71E01219DBDF14CFA9C980AAEBBB1FF49314F24826ADA15E7350D735AA01CB94

Function 004E39F1 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 004E39FD
IsDebuggerPresent.KERNEL32 ref: 004E3AC9
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004E3AE2
UnhandledExceptionFilter.KERNEL32(?), ref: 004E3AEC

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 42e566195971a8affdb01bd09a1e9deafb93bf1cad67a6f74299b8098f6b5023
Instruction ID: 6859b25dada4fd463706a887458e82804bdefdc2cb6406f6515909c40dbb0cd7
Opcode Fuzzy Hash: 42e566195971a8affdb01bd09a1e9deafb93bf1cad67a6f74299b8098f6b5023
Instruction Fuzzy Hash: 00312975C0521C9BDB21DF65DD89BCDBBB8AF48305F1041AAE40DAB250E7749B84CF49

Function 004E38D1 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 004E38E3
GetCurrentThreadId.KERNEL32 ref: 004E38F2
GetCurrentProcessId.KERNEL32 ref: 004E38FB
QueryPerformanceCounter.KERNEL32(?), ref: 004E3908

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 20916d76fe32a96991029c62488466a31a32a17b242dfcae133c44c7e97df1f4
Instruction ID: 3bfa3aeba0c157efc870a2a102dd06777a3c9ec1d827bf4950336c330389af47
Opcode Fuzzy Hash: 20916d76fe32a96991029c62488466a31a32a17b242dfcae133c44c7e97df1f4
Instruction Fuzzy Hash: E8F05F75D1020DEBCB00DBB4DA8999EBBF4EF1C200B9145A5A412E6110EA30AB54DB55

Function 004E8077 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 004E816F
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 004E8179
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 004E8186

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: b7ad93e49c80e710d349f304922d99ddf5a12e82f98c4e97a8bf8e150d9a67e4
Instruction ID: 87dd4998d4b610e05412291f08a1d0f09d9edd10f8873b0aac633736456b8987
Opcode Fuzzy Hash: b7ad93e49c80e710d349f304922d99ddf5a12e82f98c4e97a8bf8e150d9a67e4
Instruction Fuzzy Hash: EA31D67490122C9BCB21DF69DD8879DBBB8BF48311F5041EAE40CA7251EB749F858F48

Function 004F566E Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004F55C9,?,?,00000008,?,?,004F519B,00000000), ref: 004F589B

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 9f5daf2f7b32bdc986f082d93ad17c014fdf944fd53f409f281df81946c9d312
Instruction ID: 040d40542b7b92020f3a063ef7390ca9c6550d965c10d050f966754a5d694a8c
Opcode Fuzzy Hash: 9f5daf2f7b32bdc986f082d93ad17c014fdf944fd53f409f281df81946c9d312
Instruction Fuzzy Hash: A7B18E71110A08DFD719CF28C48AB657BE0FF05364F258659EA99CF3A1C379D992CB44

Function 004E1000 Relevance: 1.7, APIs: 1, Instructions: 243COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004E108D

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 2987bb8573f51f5f2af0a4fe7c85b0ca6323f9fbdabbca4835cfd77c2bf9c5b1
Instruction ID: 909dfd64f78c25bfab3957f6e90d050b3898376d2a906465b4eb4ba317004792
Opcode Fuzzy Hash: 2987bb8573f51f5f2af0a4fe7c85b0ca6323f9fbdabbca4835cfd77c2bf9c5b1
Instruction Fuzzy Hash: 6B91F772E402588FCB14CFB9D8809AEFBF6BF8A310F14552AD905BB351E734A941CB58

Function 004E3C05 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 004E3C1B

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 2a618c18308ab6c7f9fbe166da58f8b297ef7ded51e4bc26326b6a5e04cc8643
Instruction ID: 6f5443be5f3fa1ac392efdefb7217240daba51beaedfd5397adf7c12a63d93d8
Opcode Fuzzy Hash: 2a618c18308ab6c7f9fbe166da58f8b297ef7ded51e4bc26326b6a5e04cc8643
Instruction Fuzzy Hash: 96A1C0B2D006088FEB19CF5AD8856AEBBF1FB58316F24857AD515E7360C3389950CF58

Function 004E5C52 Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

0, xrefs: 004E5DD6

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: ac373ea3d070999707b26149c43fc07b8389a8ccdb0f97723ad9e55742243fdb
Instruction ID: 80382efbd4d07f5d13cb5771ec7f731092eb897f65b8e12cf1728983cc74d79e
Opcode Fuzzy Hash: ac373ea3d070999707b26149c43fc07b8389a8ccdb0f97723ad9e55742243fdb
Instruction Fuzzy Hash: A7B1B570900E868BCB24CF6BC959ABF7BA5AB0131EF14461FD452D7791C6389E02CB59

Function 004E39E5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00003B06,004E349D), ref: 004E39EA

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7658d39bf2fe18a26340153b74e48fda1d3732a9e30913557ebc4c871094c58f
Instruction ID: 87896d7c71bca3f0d53fd5cbfd3714e11bb28efe6e4c5312765a0b531e3b15b1
Opcode Fuzzy Hash: 7658d39bf2fe18a26340153b74e48fda1d3732a9e30913557ebc4c871094c58f
Instruction Fuzzy Hash:

Function 004E9E16 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 004E9E16

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 65c409bd50040fb34324ea962991c1f99ef8b5a10af6e81bad596c3121a57227
Instruction ID: f44ef86ae50c82e341c1b038bd6da8132618999ab6bab171c3ff541d3bf7761f
Opcode Fuzzy Hash: 65c409bd50040fb34324ea962991c1f99ef8b5a10af6e81bad596c3121a57227
Instruction Fuzzy Hash: C6A011B0202200CB83008F32AA083283AA8BA022E0B028038A008C2020EB208220EF08

Function 004E4650 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004E4687
___except_validate_context_record.LIBVCRUNTIME ref: 004E468F
_ValidateLocalCookies.LIBCMT ref: 004E4718
__IsNonwritableInCurrentImage.LIBCMT ref: 004E4743
_ValidateLocalCookies.LIBCMT ref: 004E4798

Strings

]CN, xrefs: 004E4735, 004E473E, 004E474F
csm, xrefs: 004E472D
f2N, xrefs: 004E475C

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: ]CN$csm$f2N
API String ID: 1170836740-4281818672
Opcode ID: 5d4844638e47927f92a2bfe778113bafb1c193b60fec4acb271eb319e3b048ee
Instruction ID: f0ee2f20e658cd107181b30a80d5897964b80284da1c5876d360a2d0d408edd8
Opcode Fuzzy Hash: 5d4844638e47927f92a2bfe778113bafb1c193b60fec4acb271eb319e3b048ee
Instruction Fuzzy Hash: F041EA749002889BCF10DF6BC884A9E7BB1FF86316F14855BE9145B392C739AD11CBD9

Function 004F3FDE Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,004F3FC9,?,?,?,?,?,?,?,?,?), ref: 004F4084
__alloca_probe_16.LIBCMT ref: 004F413F
__alloca_probe_16.LIBCMT ref: 004F41CE
__freea.LIBCMT ref: 004F4219
__freea.LIBCMT ref: 004F421F
__freea.LIBCMT ref: 004F4255
__freea.LIBCMT ref: 004F425B
__freea.LIBCMT ref: 004F426B

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: a296d6bda5d418140dac417c4e8d7d0b3db78644b4756fbc4ecde9559c25d070
Instruction ID: 8f09314e629e486dd1eb306bb9ed3d74aa021fd0bb599afa1b116f81e28217cc
Opcode Fuzzy Hash: a296d6bda5d418140dac417c4e8d7d0b3db78644b4756fbc4ecde9559c25d070
Instruction Fuzzy Hash: 3B71D23290020D6BDF209E958D81BBF77A9AF89355F16016BFB04A7381DF3D8D4187A9

Function 004EC28B Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 004EC311

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 6f50279ee7fba881e46e44fc6ac24256dd30adf8a6b45f72db007344eb616516
Instruction ID: 78f12f27d62d3ded8f5f901ff6426e784df0c48a370059c5c665017b964e3206
Opcode Fuzzy Hash: 6f50279ee7fba881e46e44fc6ac24256dd30adf8a6b45f72db007344eb616516
Instruction Fuzzy Hash: 24B158729002E5AFDB118F6ACCC1BBF7BA5EF55311F144157E904AB382D778A902C7A8

Function 004E8EC9 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 004E8FE8
CallUnexpected.LIBVCRUNTIME ref: 004E9261

Strings

csm, xrefs: 004E901F
csm, xrefs: 004E8F06
xaO, xrefs: 004E8FDF
csm, xrefs: 004E8F73

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm$xaO
API String ID: 2673424686-285699695
Opcode ID: fe507b44445b710f37649dafef10f386aa45750b2e56715376a9edeac6cf0a0c
Instruction ID: faafa6106325cdfaa9a5367462a12935de7f479949a097045fec0bf31ec3126c
Opcode Fuzzy Hash: fe507b44445b710f37649dafef10f386aa45750b2e56715376a9edeac6cf0a0c
Instruction Fuzzy Hash: 8FB18871800289EFCF14DFA6C8849AEB7B9BF04306F14459FE8156B282D739DE51CB99

Function 004E720B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,6F282CA8,?,?,00000000,004F5CA3,000000FF,?,004E72CC,00000002,?,004E7368,004E84AD), ref: 004E7240
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004E7252
FreeLibrary.KERNEL32(00000000,?,?,00000000,004F5CA3,000000FF,?,004E72CC,00000002,?,004E7368,004E84AD), ref: 004E7274

Strings

CorExitProcess, xrefs: 004E724A
mscoree.dll, xrefs: 004E7239
f2N, xrefs: 004E7263

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$f2N$mscoree.dll
API String ID: 4061214504-910826858
Opcode ID: 2355bfe69f99ae440f8c8e13b386a9891451ca7418b5b0231942854c0adb9b52
Instruction ID: dbb457a70cc5ad449ec3bf9d0adc6983b1f1e46cacdda80b76889d0e0767bceb
Opcode Fuzzy Hash: 2355bfe69f99ae440f8c8e13b386a9891451ca7418b5b0231942854c0adb9b52
Instruction Fuzzy Hash: B501A27194469DAFDB118F55CD49BBEBBB8FB04B26F104936F911A22D0DB789810CB88

Function 004E3269 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 004E326F
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 004E327D
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 004E328E

Strings

GetSystemTimePreciseAsFileTime, xrefs: 004E3277
kernel32.dll, xrefs: 004E326A
GetTempPath2W, xrefs: 004E3283

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1047828073
Opcode ID: 0bc485e53f564070ad43509a40123167d2e3e1b4e1a1a235ab05006dbdcdb1eb
Instruction ID: 030c2180853b82939f854c4c296609c96ff308b8a412d47a21f71583818a4387
Opcode Fuzzy Hash: 0bc485e53f564070ad43509a40123167d2e3e1b4e1a1a235ab05006dbdcdb1eb
Instruction Fuzzy Hash: 1ED0A7B15812986FC300AFB0BD4C9B63F95EE053403114033FA08D2310DB740421CF9D

Function 004E8639 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,004E8630,004E443B,004E3B4A), ref: 004E8647
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004E8655
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004E866E
SetLastError.KERNEL32(00000000,004E8630,004E443B,004E3B4A), ref: 004E86C0

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 5cbce045127b9657caeab8f853b3b9c01aca35ac18037df41e9cdb7a6e7309c3
Instruction ID: 29c8696a6180125dd52c781c27b408f51fe807a7412f821642c13ef15e8dc18f
Opcode Fuzzy Hash: 5cbce045127b9657caeab8f853b3b9c01aca35ac18037df41e9cdb7a6e7309c3
Instruction Fuzzy Hash: 2701D4322083925EAE25277BBCC553B2785EB4177F720063FF518452F0EF595C21918C

Function 004E8BF0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 004E8CB7
___AdjustPointer.LIBCMT ref: 004E8CDA
___AdjustPointer.LIBCMT ref: 004E8D76

Strings

f2N, xrefs: 004E8C4F

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: AdjustPointer
String ID: f2N
API String ID: 1740715915-3473888870
Opcode ID: 0c23ff0a8afc360b08b56ce49b60507995906ff81fe73c07b264dbcf3598928a
Instruction ID: c85decbac06da8aa923f296293e66adfa0a03cd46c206ca2bab7cd37f5dcfb1e
Opcode Fuzzy Hash: 0c23ff0a8afc360b08b56ce49b60507995906ff81fe73c07b264dbcf3598928a
Instruction Fuzzy Hash: 1951DF72A012869FEF298F53D841F7A73A4EF50307F24452FE809572D1DB38A851C7A8

Function 004EDC9B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\cache_registerer.exe, xrefs: 004EDCB7

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\cache_registerer.exe
API String ID: 0-414123086
Opcode ID: 480038e1e7bcdbfddf578708c542856f88b25d234c754e125afbf6366f758249
Instruction ID: 15905a2eebc9461af385f875af3a7440a7ba6be052670de9b02c2609af68f94c
Opcode Fuzzy Hash: 480038e1e7bcdbfddf578708c542856f88b25d234c754e125afbf6366f758249
Instruction Fuzzy Hash: DE219231E00289EF9B20AF739C81D6B7768EF4036A710452BF91997250DB38EC50C799

Function 004EF1A5 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 004EF22A
__alloca_probe_16.LIBCMT ref: 004EF2F3
__freea.LIBCMT ref: 004EF35A

Part of subcall function 004EB8D6: RtlAllocateHeap.NTDLL(00000000,004EAB77,?,?,004EAB77,00000220,?,00000000,?), ref: 004EB908

__freea.LIBCMT ref: 004EF36D
__freea.LIBCMT ref: 004EF37A

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 0adedcd2f944655d1316926dc85b6407fcbb3a063706d69186208696aa165213
Instruction ID: b9cc9a5541b4ef260a597690386e19837797a05c6903fd3cbacdbbed8ec6b4a5
Opcode Fuzzy Hash: 0adedcd2f944655d1316926dc85b6407fcbb3a063706d69186208696aa165213
Instruction Fuzzy Hash: B451D37260028AAFDB209F67CC81EBB76A9EF44756B15053FFD04D6250EB78CC14C668

Function 004E30C1 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004E30D5
AcquireSRWLockExclusive.KERNEL32(?,?,00000000,004F5C4C,000000FF,?,004E211F), ref: 004E30F4
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,004F5C4C,000000FF,?,004E211F), ref: 004E3122
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,004F5C4C,000000FF,?,004E211F), ref: 004E317D
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,004F5C4C,000000FF,?,004E211F), ref: 004E3194

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: cc43c2eab41b94efca16986990c753b52e64983f005bc7b139cea560e2b0b944
Instruction ID: 797ec950b60df43a2bcef84ead2ac1e664097b952eb31c4c60d1f882e8929af2
Opcode Fuzzy Hash: cc43c2eab41b94efca16986990c753b52e64983f005bc7b139cea560e2b0b944
Instruction Fuzzy Hash: B341383060068ADBCB26CF67C98896AF3B5FF05317B50892FD44697A40D738EA45CB69

Function 004E8B59 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 004E8DD0

Strings

csm, xrefs: 004E8DF2
csm, xrefs: 004E8E63
f2N, xrefs: 004E8E98

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm$f2N
API String ID: 3493665558-4118698419
Opcode ID: 87adee511c74e47a9544c913497bf5da4f48f1a3a76cf02456d6301a7d20d12d
Instruction ID: e6d59a5d26ca582b3d05a9c98b0659f1a8c9dd67b1951e8a0796d6740100b500
Opcode Fuzzy Hash: 87adee511c74e47a9544c913497bf5da4f48f1a3a76cf02456d6301a7d20d12d
Instruction Fuzzy Hash: 7D31D6318002889BCF268F9ACD4096B7B66FF1971BB14459FF85C89221CB3ADC61DB95

Function 004E1C40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registrywindowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 004E1C9D
RegisterClassW.USER32(?), ref: 004E1CB2
GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004E1CDB

Strings

`O, xrefs: 004E1CA7

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: ClassHandleMessageModuleRegister
String ID: `O
API String ID: 1585107554-1900571490
Opcode ID: 6addfd029342aff327c0941a4b51867e55abe4471d99fcf0700e600ec2a0d08a
Instruction ID: 8dc3b02378dbf193aca33bcfa74388ef0bf8223f888fc6e38c51fed85050d31c
Opcode Fuzzy Hash: 6addfd029342aff327c0941a4b51867e55abe4471d99fcf0700e600ec2a0d08a
Instruction Fuzzy Hash: 3421A2B1C8038D9BDB10CFA1DD45BEEBBB4FF45714F20522AE508B6250E7B81690CB98

Function 004EEEE6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,004EEF82,00000000,?,004FF760,?,?,?,004EEEB9,00000004,InitializeCriticalSectionEx,004F78B0,004F78B8), ref: 004EEEF3
GetLastError.KERNEL32(?,004EEF82,00000000,?,004FF760,?,?,?,004EEEB9,00000004,InitializeCriticalSectionEx,004F78B0,004F78B8,00000000,?,004E951C), ref: 004EEEFD
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 004EEF25

Strings

api-ms-, xrefs: 004EEF0A

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: aefb92c1cd499ee75fc578f8b51b5180f78d651b4c4020f5c9c1f54ce3afe991
Instruction ID: ba38d6b1142de347ce68c22e378a92d5380a1ccedae0f9ba115d150138edeedd
Opcode Fuzzy Hash: aefb92c1cd499ee75fc578f8b51b5180f78d651b4c4020f5c9c1f54ce3afe991
Instruction Fuzzy Hash: 1AE01A3168428CB6EB105B62ED46F793E56EB08B56F104031F90CA81E1DB66A820994C

Function 004EF86C Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(6F282CA8,00000000,00000000,?), ref: 004EF8CF

Part of subcall function 004EE356: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004EF350,?,00000000,-00000008), ref: 004EE3B7

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 004EFB21
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 004EFB67
GetLastError.KERNEL32 ref: 004EFC0A

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: ff896ca65fe88481f101e41b637f206f207c4bdfc0f510fd82fc1965079f89d0
Instruction ID: b793e5a9952eae2cf7b9177b4b0e31a34aa1ca067f5899218f95f312baaff20b
Opcode Fuzzy Hash: ff896ca65fe88481f101e41b637f206f207c4bdfc0f510fd82fc1965079f89d0
Instruction Fuzzy Hash: 4AD1AEB5D00288AFCF14CFA9D880AEEBBB5FF09305F24412AE956EB351D734A945CB54

Function 004ED6FF Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 004EE356: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004EF350,?,00000000,-00000008), ref: 004EE3B7

GetLastError.KERNEL32 ref: 004ED763
__dosmaperr.LIBCMT ref: 004ED76A
GetLastError.KERNEL32(?,?,?,?), ref: 004ED7A4
__dosmaperr.LIBCMT ref: 004ED7AB

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 0f7e7dfd34060a2fc57e44d54c8e29918d82cb19408f0a6224e4e71fc56b7bc5
Instruction ID: ffb8b0524311f2daf323266539626af169298d38041e3eac8c582f8a366b4416
Opcode Fuzzy Hash: 0f7e7dfd34060a2fc57e44d54c8e29918d82cb19408f0a6224e4e71fc56b7bc5
Instruction Fuzzy Hash: EC21D771A00285AFDB20AF77D88182BB7A9FF4436A710852FF91987250D738EC408799

Function 004EE452 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004EE45A

Part of subcall function 004EE356: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004EF350,?,00000000,-00000008), ref: 004EE3B7

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004EE492
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004EE4B2

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: dfdf6f074fe9dfe469198694fa364ccb268f4d0a495d3d536f07aa06670c97dd
Instruction ID: 7736ae442610e9907bfbd2ed0677abe5656bf3d727b0bea4e556abca18e7cfa9
Opcode Fuzzy Hash: dfdf6f074fe9dfe469198694fa364ccb268f4d0a495d3d536f07aa06670c97dd
Instruction Fuzzy Hash: 5711C4F29016997F672137B3ADC9C7F295CDF4439A711042AF905D1281FE28DD01817E

Function 004F429C Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,004F311E,00000000,00000001,?,?,?,004EFC5E,?,00000000,00000000), ref: 004F42B3
GetLastError.KERNEL32(?,004F311E,00000000,00000001,?,?,?,004EFC5E,?,00000000,00000000,?,?,?,004EF5A4,?), ref: 004F42BF

Part of subcall function 004F4310: CloseHandle.KERNEL32(FFFFFFFE,004F42CF,?,004F311E,00000000,00000001,?,?,?,004EFC5E,?,00000000,00000000,?,?), ref: 004F4320

___initconout.LIBCMT ref: 004F42CF

Part of subcall function 004F42F1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004F428D,004F310B,?,?,004EFC5E,?,00000000,00000000,?), ref: 004F4304

WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,004F311E,00000000,00000001,?,?,?,004EFC5E,?,00000000,00000000,?), ref: 004F42E4

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: beeea429308866e40f5dac41dbf8223daa2e30b11d7e3d801495b46097e02bb0
Instruction ID: 208f67091c6c7e2551cb53f20588245a241add431e586c98f5f9792c4756819b
Opcode Fuzzy Hash: beeea429308866e40f5dac41dbf8223daa2e30b11d7e3d801495b46097e02bb0
Instruction Fuzzy Hash: 24F0F837500118BBCF221FE69C049AE3F26EF893A1B014471FA0895230CA328920DBA8

Function 004E92ED Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,004E91EE,?,?,00000000,00000000,00000000,?), ref: 004E9312

Strings

MOC, xrefs: 004E9324
RCC, xrefs: 004E932C

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 9ee6e714edf571f2591ee14cf96e252b48342cc5ef001b0c4d4301a3d2f09896
Instruction ID: 45d0440b6ee468982672d904edc0a2a54e002cc86dd0d13e214571b77003e069
Opcode Fuzzy Hash: 9ee6e714edf571f2591ee14cf96e252b48342cc5ef001b0c4d4301a3d2f09896
Instruction Fuzzy Hash: BA41A931900248EFCF11DF96C981AEE7BB5FF48305F1880AAFA0867291D3399D51CB58

Function 004E329D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,004E320F,?,?,?,?,004E3233,000000FF,?,?,?,004E314B,00000000), ref: 004E32D5
GetSystemTimeAsFileTime.KERNEL32(?,6F282CA8,?,?,004F5C69,000000FF,?,004E320F,?,?,?,?,004E3233,000000FF,?), ref: 004E32D9

Strings

f2N, xrefs: 004E32CF

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: Time$FileSystem$Precise
String ID: f2N
API String ID: 743729956-3473888870
Opcode ID: 6f0f704868a079bb56e07cb38a0c1639da0f50e92df2f46d70f276a42fd62300
Instruction ID: 055cf9c32bf43508d6ec10f5f259e4844838330a6048965798c954becb4177c1
Opcode Fuzzy Hash: 6f0f704868a079bb56e07cb38a0c1639da0f50e92df2f46d70f276a42fd62300
Instruction Fuzzy Hash: 5BF03772A04598EFC7018F45EC48B6977A8FB05B15F114577E91293790D7356900CB98

Function 004E99FC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 004E9A3C

Strings

InitializeCriticalSectionEx, xrefs: 004E9A0C
f2N, xrefs: 004E9A2C

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx$f2N
API String ID: 2593887523-3968345832
Opcode ID: eb102753a61a030dd00031c61e22919c9f5787a2c6e8aac1fda9c94d3c76ff47
Instruction ID: 5796170e23a566131090ab9c5b1cc6ca1491ae3ff999f14c186e6b4c5c656c69
Opcode Fuzzy Hash: eb102753a61a030dd00031c61e22919c9f5787a2c6e8aac1fda9c94d3c76ff47
Instruction Fuzzy Hash: 8CE0923154025CBBCB216F42EC05EAE3F11DF40BA1F114032FE18251A1C67A4C21DBD9

Function 004E98FD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 004E9931

Strings

FlsAlloc, xrefs: 004E990D
f2N, xrefs: 004E9927

Memory Dump Source

Source File: 00000000.00000002.1716565548.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1716551998.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716585341.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716600870.00000000004FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716615077.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716630035.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1716645751.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_cache_registerer.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc$f2N
API String ID: 2773662609-3652087093
Opcode ID: 7c3d8a78527493fb93c79e5be52444f79823a08b53e9231530b7f879ec98425b
Instruction ID: 41c02121851a7dbc20c9537618e039e99ee3877a906923dbdf3cad1d46ef026a
Opcode Fuzzy Hash: 7c3d8a78527493fb93c79e5be52444f79823a08b53e9231530b7f879ec98425b
Instruction Fuzzy Hash: C6E0C27168426CB3C6207792AC06FBE7E44CB40B61B120037FE05212E28AAD1C2186EE

Analysis Process: cache_registerer.exePID: 7424, Parent PID: 7336COMMON

Non-executed Functions

Function 004E17D0 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 293fileCOMMON

Download Yara Rule

APIs

GetFileSize.KERNEL32(00000000,00000000), ref: 004E185C
ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 004E1885
CloseHandle.KERNEL32(00000000), ref: 004E1895
CloseHandle.KERNEL32(00000000), ref: 004E1B20
CloseHandle.KERNEL32(00000000), ref: 004E1B35

Strings

(, xrefs: 004E18D0

Memory Dump Source

Source File: 00000002.00000002.1715965100.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000002.00000002.1715949120.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715983133.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715998156.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716014934.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716035704.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e0000_cache_registerer.jbxd

Similarity

API ID: CloseHandle$File$ReadSize
String ID: (
API String ID: 2509154390-3887548279
Opcode ID: c6825ebe0d36bf865c3cc6505edcf1fb1ac4ab4c6c0cbcfa2ed89ae3fea0b994
Instruction ID: ce394cc38b9e22c3950c84662fca1a6e48408651b17ca16b05e4ff261ee10224
Opcode Fuzzy Hash: c6825ebe0d36bf865c3cc6505edcf1fb1ac4ab4c6c0cbcfa2ed89ae3fea0b994
Instruction Fuzzy Hash: E3A12972D402548FCB10DFB9DD85AAEFBB6BF4A310F14162AE801A7361E7389941CB58

Function 004F1A10 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715965100.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000002.00000002.1715949120.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715983133.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715998156.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716014934.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716035704.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e0000_cache_registerer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7946e7d3bd8a4c71b1004167feaff1146a0b4289e9922db4fb30fff94b398ee0
Instruction ID: c395606fd1b3a71c2300a007e3a781ce5cf0bcb956fb9cbc4c5ea10631d6fa53
Opcode Fuzzy Hash: 7946e7d3bd8a4c71b1004167feaff1146a0b4289e9922db4fb30fff94b398ee0
Instruction Fuzzy Hash: 22023D71E01219DBDF14CFA9C980AAEBBB1FF49314F24826ADA15E7350D735AA01CB94

Function 004ED922 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004EDA12

Memory Dump Source

Source File: 00000002.00000002.1715965100.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000002.00000002.1715949120.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715983133.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715998156.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716014934.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716035704.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e0000_cache_registerer.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 56284418b3cac183010dd286b12ba015729ffcab22b5262812da05654a76aed4
Instruction ID: 9cb8db5a398baf25ea408c6947827964e0fff2bb0efb087fbed6c2c368c6d888
Opcode Fuzzy Hash: 56284418b3cac183010dd286b12ba015729ffcab22b5262812da05654a76aed4
Instruction Fuzzy Hash: 2471D4B1D041985FDF20EF26CC89ABAB7B9EF05305F1441EBE449A7251EA385E858F18

Function 004E39F1 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 004E39FD
IsDebuggerPresent.KERNEL32 ref: 004E3AC9
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004E3AE2
UnhandledExceptionFilter.KERNEL32(?), ref: 004E3AEC

Memory Dump Source

Source File: 00000002.00000002.1715965100.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000002.00000002.1715949120.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715983133.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715998156.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716014934.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716035704.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e0000_cache_registerer.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 42e566195971a8affdb01bd09a1e9deafb93bf1cad67a6f74299b8098f6b5023
Instruction ID: 6859b25dada4fd463706a887458e82804bdefdc2cb6406f6515909c40dbb0cd7
Opcode Fuzzy Hash: 42e566195971a8affdb01bd09a1e9deafb93bf1cad67a6f74299b8098f6b5023
Instruction Fuzzy Hash: 00312975C0521C9BDB21DF65DD89BCDBBB8AF48305F1041AAE40DAB250E7749B84CF49

Function 004E13F0 Relevance: 4.6, APIs: 3, Instructions: 149encryptionCOMMON

Download Yara Rule

APIs

CoResumeClassObjects.OLE32 ref: 004E150E
CryptContextAddRef.ADVAPI32(00000000,00000000,00000000), ref: 004E1521
GetLastError.KERNEL32 ref: 004E1583

Memory Dump Source

Source File: 00000002.00000002.1715965100.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000002.00000002.1715949120.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715983133.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715998156.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716014934.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716035704.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e0000_cache_registerer.jbxd

Similarity

API ID: ClassContextCryptErrorLastObjectsResume
String ID:
API String ID: 88197900-0
Opcode ID: 473e48b583952ff5293705384faad5d733607fd9199ebf8496d5f7629d15d115
Instruction ID: 6fb79226ae56b7aef96ded89034f9f412758e8d320faf64dc3843e2740487f58
Opcode Fuzzy Hash: 473e48b583952ff5293705384faad5d733607fd9199ebf8496d5f7629d15d115
Instruction Fuzzy Hash: FB5180708052988BDF11CFA9D445BEEBFB0BF0A315F1441AAD845B3381C3795A05CFA9

Function 004ED871 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004EB78E: HeapAlloc.KERNEL32(00000008,?,004E2CB3,?,004EA015,00000001,00000364,004E2CB3,FFFFFFFF,000000FF,?,004E4545,004E20CC,004E20CA), ref: 004EB7CF

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004EDA12
FindNextFileW.KERNEL32(00000000,?), ref: 004EDB06
FindClose.KERNEL32(00000000), ref: 004EDB45
FindClose.KERNEL32(00000000), ref: 004EDB78

Memory Dump Source

Source File: 00000002.00000002.1715965100.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000002.00000002.1715949120.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715983133.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715998156.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716014934.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716035704.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e0000_cache_registerer.jbxd

Similarity

API ID: Find$CloseFile$AllocFirstHeapNext
String ID:
API String ID: 2701053895-0
Opcode ID: 971c320d8fc59a71991269f39bf5820e50b6e3f1e4a9dae66c87240fa45fe2cb
Instruction ID: 5f5bdfd39460d23d56d6e7638618367513c817d66a3504fb311680f6018fadfe
Opcode Fuzzy Hash: 971c320d8fc59a71991269f39bf5820e50b6e3f1e4a9dae66c87240fa45fe2cb
Instruction Fuzzy Hash: 36516AB5D00188AEDB10AF2B9C849BF77B9DF85309F14419FF45893302EA388D418B28

Function 004E1D30 Relevance: 18.2, APIs: 12, Instructions: 176threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 004E1D63
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004E1D76

Part of subcall function 004E234A: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004E2E92
Part of subcall function 004E234A: ___raise_securityfailure.LIBCMT ref: 004E2F7A

GetCurrentThreadId.KERNEL32 ref: 004E1DFA

Part of subcall function 004E2E15: WaitForSingleObjectEx.KERNEL32(004E17D0,000000FF,00000000,?,?,?,004E1E17,?,004E17D0,00000000), ref: 004E2E21
Part of subcall function 004E2E15: GetExitCodeThread.KERNEL32(004E17D0,00000000,?,?,004E1E17,?,004E17D0,00000000), ref: 004E2E3A
Part of subcall function 004E2E15: CloseHandle.KERNEL32(004E17D0,?,?,004E1E17,?,004E17D0,00000000), ref: 004E2E4C

Part of subcall function 004E6F9F: CreateThread.KERNEL32(00000000,00000000,004E70B7,00000000,00000000,00000000,?,?,?,?,004E1DD3,00000000,00000000), ref: 004E6FE8
Part of subcall function 004E6F9F: GetLastError.KERNEL32(?,?,?,?,004E1DD3,00000000,00000000), ref: 004E6FF4
Part of subcall function 004E6F9F: __dosmaperr.LIBCMT ref: 004E6FFB

GetCurrentThreadId.KERNEL32 ref: 004E1E95
std::_Throw_Cpp_error.LIBCPMT ref: 004E1EED
std::_Throw_Cpp_error.LIBCPMT ref: 004E1EFF
std::_Throw_Cpp_error.LIBCPMT ref: 004E1F0E
std::_Throw_Cpp_error.LIBCPMT ref: 004E1F1D
std::_Throw_Cpp_error.LIBCPMT ref: 004E1F2C
std::_Throw_Cpp_error.LIBCPMT ref: 004E1F3E
std::_Throw_Cpp_error.LIBCPMT ref: 004E1F50
std::_Throw_Cpp_error.LIBCPMT ref: 004E1F62

Memory Dump Source

Source File: 00000002.00000002.1715965100.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000002.00000002.1715949120.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715983133.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715998156.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716014934.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716035704.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e0000_cache_registerer.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$Thread$CurrentHandleModule$CloseCodeCreateErrorExitFeatureFileLastNameObjectPresentProcessorSingleWait___raise_securityfailure__dosmaperr
String ID:
API String ID: 610485761-0
Opcode ID: 8c7cc4c47a7f79e7cd6bd81148d5d372a0c3d610bf0d06e678a12313079f2852
Instruction ID: b20f996ec65aa9b0dade429103d1e6096bef79de02afadcdeaa339789c258213
Opcode Fuzzy Hash: 8c7cc4c47a7f79e7cd6bd81148d5d372a0c3d610bf0d06e678a12313079f2852
Instruction Fuzzy Hash: AB51D1B1D812499BEB10EFA6CD02BDFB6B4AF05715F040269E914373D0E7F96904CAA9

Function 004E4650 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004E4687
___except_validate_context_record.LIBVCRUNTIME ref: 004E468F
_ValidateLocalCookies.LIBCMT ref: 004E4718
__IsNonwritableInCurrentImage.LIBCMT ref: 004E4743
_ValidateLocalCookies.LIBCMT ref: 004E4798

Strings

csm, xrefs: 004E472D
f2N, xrefs: 004E475C
]CN, xrefs: 004E4735, 004E473E, 004E474F

Memory Dump Source

Source File: 00000002.00000002.1715965100.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000002.00000002.1715949120.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715983133.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715998156.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716014934.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716035704.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e0000_cache_registerer.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: ]CN$csm$f2N
API String ID: 1170836740-4281818672
Opcode ID: 86a3ff014dd28bbef5893d61a9e3dd883c1731beaa14df2a05da0064921b5484
Instruction ID: f0ee2f20e658cd107181b30a80d5897964b80284da1c5876d360a2d0d408edd8
Opcode Fuzzy Hash: 86a3ff014dd28bbef5893d61a9e3dd883c1731beaa14df2a05da0064921b5484
Instruction Fuzzy Hash: F041EA749002889BCF10DF6BC884A9E7BB1FF86316F14855BE9145B392C739AD11CBD9

Function 004F3FDE Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,7FFFFFFF,?,004F3FC9,?,?,?,?,?,?,?,?,?,?), ref: 004F4084
__alloca_probe_16.LIBCMT ref: 004F413F
__alloca_probe_16.LIBCMT ref: 004F41CE
__freea.LIBCMT ref: 004F4219
__freea.LIBCMT ref: 004F421F
__freea.LIBCMT ref: 004F4255
__freea.LIBCMT ref: 004F425B
__freea.LIBCMT ref: 004F426B

Memory Dump Source

Source File: 00000002.00000002.1715965100.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000002.00000002.1715949120.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715983133.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715998156.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716014934.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716035704.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e0000_cache_registerer.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 138fc07833c29fa64bd5b0da5ab7febe6d8de2372145f6eced73ccaac467e53b
Instruction ID: 8f09314e629e486dd1eb306bb9ed3d74aa021fd0bb599afa1b116f81e28217cc
Opcode Fuzzy Hash: 138fc07833c29fa64bd5b0da5ab7febe6d8de2372145f6eced73ccaac467e53b
Instruction Fuzzy Hash: 3B71D23290020D6BDF209E958D81BBF77A9AF89355F16016BFB04A7381DF3D8D4187A9

Function 004EC28B Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 004EC311

Memory Dump Source

Source File: 00000002.00000002.1715965100.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000002.00000002.1715949120.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715983133.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715998156.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716014934.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716035704.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e0000_cache_registerer.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 6f50279ee7fba881e46e44fc6ac24256dd30adf8a6b45f72db007344eb616516
Instruction ID: 78f12f27d62d3ded8f5f901ff6426e784df0c48a370059c5c665017b964e3206
Opcode Fuzzy Hash: 6f50279ee7fba881e46e44fc6ac24256dd30adf8a6b45f72db007344eb616516
Instruction Fuzzy Hash: 24B158729002E5AFDB118F6ACCC1BBF7BA5EF55311F144157E904AB382D778A902C7A8

Function 004E9BBE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,004E9CCD,004E20CA,?,00000000,004E2CB3,004E20CC,?,004E99D6,00000022,FlsSetValue,004F6F54,004F6F5C,004E2CB3), ref: 004E9C7F

Strings

ext-ms-, xrefs: 004E9C29
api-ms-, xrefs: 004E9C15

Memory Dump Source

Source File: 00000002.00000002.1715965100.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000002.00000002.1715949120.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715983133.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715998156.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716014934.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716035704.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e0000_cache_registerer.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 7d36d20435da772b93ab9856b512b61643e36e1aedf97770ff7fd2ed79235f94
Instruction ID: b57c0fcb4fbb1178145c58b20c90dc1f3e423b263c6445021c01c9bda7270e53
Opcode Fuzzy Hash: 7d36d20435da772b93ab9856b512b61643e36e1aedf97770ff7fd2ed79235f94
Instruction Fuzzy Hash: C521E732A00298ABD721AB22DD84A7B37D9EF41766F340172E916A73D0D638FD11C6DC

Function 004E720B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,004F5CA3,000000FF,?,004E72CC,004E71B3,?,004E7368,00000000), ref: 004E7240
GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,00000000,004F5CA3,000000FF,?,004E72CC,004E71B3,?,004E7368,00000000), ref: 004E7252
FreeLibrary.KERNEL32(00000000,?,?,00000000,004F5CA3,000000FF,?,004E72CC,004E71B3,?,004E7368,00000000), ref: 004E7274

Strings

CorExitProcess, xrefs: 004E724A
mscoree.dll, xrefs: 004E7239
f2N, xrefs: 004E7263

Memory Dump Source

Source File: 00000002.00000002.1715965100.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000002.00000002.1715949120.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715983133.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715998156.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716014934.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716035704.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e0000_cache_registerer.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$f2N$mscoree.dll
API String ID: 4061214504-910826858
Opcode ID: 2355bfe69f99ae440f8c8e13b386a9891451ca7418b5b0231942854c0adb9b52
Instruction ID: dbb457a70cc5ad449ec3bf9d0adc6983b1f1e46cacdda80b76889d0e0767bceb
Opcode Fuzzy Hash: 2355bfe69f99ae440f8c8e13b386a9891451ca7418b5b0231942854c0adb9b52
Instruction Fuzzy Hash: B501A27194469DAFDB118F55CD49BBEBBB8FB04B26F104936F911A22D0DB789810CB88

Function 004E3269 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 004E326F
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 004E327D
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 004E328E

Strings

kernel32.dll, xrefs: 004E326A
GetSystemTimePreciseAsFileTime, xrefs: 004E3277
GetTempPath2W, xrefs: 004E3283

Memory Dump Source

Source File: 00000002.00000002.1715965100.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000002.00000002.1715949120.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715983133.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715998156.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716014934.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716035704.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e0000_cache_registerer.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1047828073
Opcode ID: 0bc485e53f564070ad43509a40123167d2e3e1b4e1a1a235ab05006dbdcdb1eb
Instruction ID: 030c2180853b82939f854c4c296609c96ff308b8a412d47a21f71583818a4387
Opcode Fuzzy Hash: 0bc485e53f564070ad43509a40123167d2e3e1b4e1a1a235ab05006dbdcdb1eb
Instruction Fuzzy Hash: 1ED0A7B15812986FC300AFB0BD4C9B63F95EE053403114033FA08D2310DB740421CF9D

Function 004E8639 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,004E8630,004E443B,004E3B4A), ref: 004E8647
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004E8655
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004E866E
SetLastError.KERNEL32(00000000,004E8630,004E443B,004E3B4A), ref: 004E86C0

Memory Dump Source

Source File: 00000002.00000002.1715965100.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000002.00000002.1715949120.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715983133.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715998156.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716014934.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716035704.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e0000_cache_registerer.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 5cbce045127b9657caeab8f853b3b9c01aca35ac18037df41e9cdb7a6e7309c3
Instruction ID: 29c8696a6180125dd52c781c27b408f51fe807a7412f821642c13ef15e8dc18f
Opcode Fuzzy Hash: 5cbce045127b9657caeab8f853b3b9c01aca35ac18037df41e9cdb7a6e7309c3
Instruction Fuzzy Hash: 2701D4322083925EAE25277BBCC553B2785EB4177F720063FF518452F0EF595C21918C

Function 004E8EC9 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMON

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 004E8FE8
CallUnexpected.LIBVCRUNTIME ref: 004E9261

Strings

csm, xrefs: 004E8F73
csm, xrefs: 004E901F
csm, xrefs: 004E8F06

Memory Dump Source

Source File: 00000002.00000002.1715965100.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000002.00000002.1715949120.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715983133.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715998156.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716014934.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716035704.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e0000_cache_registerer.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: 42e9184124ad4c701ef1d53e3cebb99c655e609bcfbb8f42b37a8a301d784419
Instruction ID: faafa6106325cdfaa9a5367462a12935de7f479949a097045fec0bf31ec3126c
Opcode Fuzzy Hash: 42e9184124ad4c701ef1d53e3cebb99c655e609bcfbb8f42b37a8a301d784419
Instruction Fuzzy Hash: 8FB18871800289EFCF14DFA6C8849AEB7B9BF04306F14459FE8156B282D739DE51CB99

Function 004E8BF0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 004E8CB7
___AdjustPointer.LIBCMT ref: 004E8CDA
___AdjustPointer.LIBCMT ref: 004E8D76

Strings

f2N, xrefs: 004E8C4F

Memory Dump Source

Source File: 00000002.00000002.1715965100.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000002.00000002.1715949120.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715983133.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715998156.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716014934.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716035704.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e0000_cache_registerer.jbxd

Similarity

API ID: AdjustPointer
String ID: f2N
API String ID: 1740715915-3473888870
Opcode ID: f82c0f00299a604b2c16f1948ce1c398e511bfce0618aea6098c9b2c6770c39b
Instruction ID: c85decbac06da8aa923f296293e66adfa0a03cd46c206ca2bab7cd37f5dcfb1e
Opcode Fuzzy Hash: f82c0f00299a604b2c16f1948ce1c398e511bfce0618aea6098c9b2c6770c39b
Instruction Fuzzy Hash: 1951DF72A012869FEF298F53D841F7A73A4EF50307F24452FE809572D1DB38A851C7A8

Function 004EF1A5 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 004EF22A
__alloca_probe_16.LIBCMT ref: 004EF2F3
__freea.LIBCMT ref: 004EF35A

Part of subcall function 004EB8D6: HeapAlloc.KERNEL32(00000000,004E2CB3,004E20CA,?,004E4545,004E20CC,004E20CA,?,?,?,004E23F8,004E2CB3,004E20CE,004E20CA,004E20CA,004E20CA), ref: 004EB908

__freea.LIBCMT ref: 004EF36D
__freea.LIBCMT ref: 004EF37A

Memory Dump Source

Source File: 00000002.00000002.1715965100.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000002.00000002.1715949120.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715983133.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715998156.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716014934.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716035704.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e0000_cache_registerer.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: feecee7aaec537a8de88f001675fe50c7a7e0e9e7d9916fd496d4f9318ce74e7
Instruction ID: b9cc9a5541b4ef260a597690386e19837797a05c6903fd3cbacdbbed8ec6b4a5
Opcode Fuzzy Hash: feecee7aaec537a8de88f001675fe50c7a7e0e9e7d9916fd496d4f9318ce74e7
Instruction Fuzzy Hash: B451D37260028AAFDB209F67CC81EBB76A9EF44756B15053FFD04D6250EB78CC14C668

Function 004E30C1 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32(004FE64C,?,00000000,004F5C4C,000000FF,?,004E211F), ref: 004E30D5
AcquireSRWLockExclusive.KERNEL32(?,?,00000000,004F5C4C,000000FF,?,004E211F), ref: 004E30F4
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,004F5C4C,000000FF,?,004E211F), ref: 004E3122
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,004F5C4C,000000FF,?,004E211F), ref: 004E317D
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,004F5C4C,000000FF,?,004E211F), ref: 004E3194

Memory Dump Source

Source File: 00000002.00000002.1715965100.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000002.00000002.1715949120.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715983133.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715998156.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716014934.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716035704.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e0000_cache_registerer.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: cc43c2eab41b94efca16986990c753b52e64983f005bc7b139cea560e2b0b944
Instruction ID: 797ec950b60df43a2bcef84ead2ac1e664097b952eb31c4c60d1f882e8929af2
Opcode Fuzzy Hash: cc43c2eab41b94efca16986990c753b52e64983f005bc7b139cea560e2b0b944
Instruction Fuzzy Hash: B341383060068ADBCB26CF67C98896AF3B5FF05317B50892FD44697A40D738EA45CB69

Function 004E8B59 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 004E8DD0

Strings

f2N, xrefs: 004E8E98
csm, xrefs: 004E8E63
csm, xrefs: 004E8DF2

Memory Dump Source

Source File: 00000002.00000002.1715965100.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000002.00000002.1715949120.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715983133.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715998156.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716014934.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716035704.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e0000_cache_registerer.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm$f2N
API String ID: 3493665558-4118698419
Opcode ID: 329689eaa7c96e80bdbe1b0b0d4d2f8022258f6be0f1bdf4982b59f82cb54830
Instruction ID: e6d59a5d26ca582b3d05a9c98b0659f1a8c9dd67b1951e8a0796d6740100b500
Opcode Fuzzy Hash: 329689eaa7c96e80bdbe1b0b0d4d2f8022258f6be0f1bdf4982b59f82cb54830
Instruction Fuzzy Hash: 7D31D6318002889BCF268F9ACD4096B7B66FF1971BB14459FF85C89221CB3ADC61DB95

Function 004E1C40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registrywindowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 004E1C9D
RegisterClassW.USER32(?), ref: 004E1CB2
GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004E1CDB

Strings

`O, xrefs: 004E1CA7

Memory Dump Source

Source File: 00000002.00000002.1715965100.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000002.00000002.1715949120.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715983133.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715998156.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716014934.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716035704.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e0000_cache_registerer.jbxd

Similarity

API ID: ClassHandleMessageModuleRegister
String ID: `O
API String ID: 1585107554-1900571490
Opcode ID: 6addfd029342aff327c0941a4b51867e55abe4471d99fcf0700e600ec2a0d08a
Instruction ID: 8dc3b02378dbf193aca33bcfa74388ef0bf8223f888fc6e38c51fed85050d31c
Opcode Fuzzy Hash: 6addfd029342aff327c0941a4b51867e55abe4471d99fcf0700e600ec2a0d08a
Instruction Fuzzy Hash: 3421A2B1C8038D9BDB10CFA1DD45BEEBBB4FF45714F20522AE508B6250E7B81690CB98

Function 004EEEE6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,004EEF82,00000000,?,004FF760,?,?,?,004EEEB9,00000004,InitializeCriticalSectionEx,004F78B0,004F78B8), ref: 004EEEF3
GetLastError.KERNEL32(?,004EEF82,00000000,?,004FF760,?,?,?,004EEEB9,00000004,InitializeCriticalSectionEx,004F78B0,004F78B8,00000000,?,004E951C), ref: 004EEEFD
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 004EEF25

Strings

api-ms-, xrefs: 004EEF0A

Memory Dump Source

Source File: 00000002.00000002.1715965100.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000002.00000002.1715949120.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715983133.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715998156.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716014934.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716035704.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e0000_cache_registerer.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: aefb92c1cd499ee75fc578f8b51b5180f78d651b4c4020f5c9c1f54ce3afe991
Instruction ID: ba38d6b1142de347ce68c22e378a92d5380a1ccedae0f9ba115d150138edeedd
Opcode Fuzzy Hash: aefb92c1cd499ee75fc578f8b51b5180f78d651b4c4020f5c9c1f54ce3afe991
Instruction Fuzzy Hash: 1AE01A3168428CB6EB105B62ED46F793E56EB08B56F104031F90CA81E1DB66A820994C

Function 004EF86C Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 004EF8CF

Part of subcall function 004EE356: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004EF350,?,00000000,-00000008), ref: 004EE3B7

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 004EFB21
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 004EFB67
GetLastError.KERNEL32 ref: 004EFC0A

Memory Dump Source

Source File: 00000002.00000002.1715965100.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000002.00000002.1715949120.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715983133.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715998156.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716014934.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716035704.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e0000_cache_registerer.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: ff896ca65fe88481f101e41b637f206f207c4bdfc0f510fd82fc1965079f89d0
Instruction ID: b793e5a9952eae2cf7b9177b4b0e31a34aa1ca067f5899218f95f312baaff20b
Opcode Fuzzy Hash: ff896ca65fe88481f101e41b637f206f207c4bdfc0f510fd82fc1965079f89d0
Instruction Fuzzy Hash: 4AD1AEB5D00288AFCF14CFA9D880AEEBBB5FF09305F24412AE956EB351D734A945CB54

Function 004ED6FF Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 004EE356: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004EF350,?,00000000,-00000008), ref: 004EE3B7

GetLastError.KERNEL32(?,?,?,00000000,00000000,?,004EDAA5,?,?,?,00000000), ref: 004ED763
__dosmaperr.LIBCMT ref: 004ED76A
GetLastError.KERNEL32(00000000,004EDAA5,?,?,00000000,?,?,?,00000000,00000000,?,004EDAA5,?,?,?,00000000), ref: 004ED7A4
__dosmaperr.LIBCMT ref: 004ED7AB

Memory Dump Source

Source File: 00000002.00000002.1715965100.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000002.00000002.1715949120.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715983133.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715998156.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716014934.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716035704.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e0000_cache_registerer.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: a37366888a8b012fb6e6cf3681e2b2267c796d1c40f31ffe869ae3e3fd855806
Instruction ID: ffb8b0524311f2daf323266539626af169298d38041e3eac8c582f8a366b4416
Opcode Fuzzy Hash: a37366888a8b012fb6e6cf3681e2b2267c796d1c40f31ffe869ae3e3fd855806
Instruction Fuzzy Hash: EC21D771A00285AFDB20AF77D88182BB7A9FF4436A710852FF91987250D738EC408799

Function 004EDC9B Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1715965100.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000002.00000002.1715949120.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715983133.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715998156.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716014934.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716035704.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e0000_cache_registerer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 004c5ebf7016cc2a429cf143740bfdb9bacc4bc3fdb9a7c5dcf49a3cc08a9deb
Instruction ID: 15905a2eebc9461af385f875af3a7440a7ba6be052670de9b02c2609af68f94c
Opcode Fuzzy Hash: 004c5ebf7016cc2a429cf143740bfdb9bacc4bc3fdb9a7c5dcf49a3cc08a9deb
Instruction Fuzzy Hash: DE219231E00289EF9B20AF739C81D6B7768EF4036A710452BF91997250DB38EC50C799

Function 004EE452 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004EE45A

Part of subcall function 004EE356: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004EF350,?,00000000,-00000008), ref: 004EE3B7

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004EE492
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004EE4B2

Memory Dump Source

Source File: 00000002.00000002.1715965100.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000002.00000002.1715949120.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715983133.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715998156.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716014934.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716035704.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e0000_cache_registerer.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 26e98a53a30b934244be966a72a9165bc6360b9e406d95a4f33f5ed62d563918
Instruction ID: 7736ae442610e9907bfbd2ed0677abe5656bf3d727b0bea4e556abca18e7cfa9
Opcode Fuzzy Hash: 26e98a53a30b934244be966a72a9165bc6360b9e406d95a4f33f5ed62d563918
Instruction Fuzzy Hash: 5711C4F29016997F672137B3ADC9C7F295CDF4439A711042AF905D1281FE28DD01817E

Function 004F429C Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,004F311E,00000000,00000001,?,?,?,004EFC5E,?,00000000,00000000), ref: 004F42B3
GetLastError.KERNEL32(?,004F311E,00000000,00000001,?,?,?,004EFC5E,?,00000000,00000000,?,?,?,004EF5A4,?), ref: 004F42BF

Part of subcall function 004F4310: CloseHandle.KERNEL32(FFFFFFFE,004F42CF,?,004F311E,00000000,00000001,?,?,?,004EFC5E,?,00000000,00000000,?,?), ref: 004F4320

___initconout.LIBCMT ref: 004F42CF

Part of subcall function 004F42F1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004F428D,004F310B,?,?,004EFC5E,?,00000000,00000000,?), ref: 004F4304

WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,004F311E,00000000,00000001,?,?,?,004EFC5E,?,00000000,00000000,?), ref: 004F42E4

Memory Dump Source

Source File: 00000002.00000002.1715965100.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000002.00000002.1715949120.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715983133.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715998156.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716014934.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716035704.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e0000_cache_registerer.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: beeea429308866e40f5dac41dbf8223daa2e30b11d7e3d801495b46097e02bb0
Instruction ID: 208f67091c6c7e2551cb53f20588245a241add431e586c98f5f9792c4756819b
Opcode Fuzzy Hash: beeea429308866e40f5dac41dbf8223daa2e30b11d7e3d801495b46097e02bb0
Instruction Fuzzy Hash: 24F0F837500118BBCF221FE69C049AE3F26EF893A1B014471FA0895230CA328920DBA8

Function 004E38D1 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 004E38E3
GetCurrentThreadId.KERNEL32 ref: 004E38F2
GetCurrentProcessId.KERNEL32 ref: 004E38FB
QueryPerformanceCounter.KERNEL32(?), ref: 004E3908

Memory Dump Source

Source File: 00000002.00000002.1715965100.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000002.00000002.1715949120.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715983133.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715998156.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716014934.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716035704.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e0000_cache_registerer.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 20916d76fe32a96991029c62488466a31a32a17b242dfcae133c44c7e97df1f4
Instruction ID: 3bfa3aeba0c157efc870a2a102dd06777a3c9ec1d827bf4950336c330389af47
Opcode Fuzzy Hash: 20916d76fe32a96991029c62488466a31a32a17b242dfcae133c44c7e97df1f4
Instruction Fuzzy Hash: E8F05F75D1020DEBCB00DBB4DA8999EBBF4EF1C200B9145A5A412E6110EA30AB54DB55

Function 004E92ED Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,004E91EE,?,?,00000000,00000000,00000000,?), ref: 004E9312

Strings

RCC, xrefs: 004E932C
MOC, xrefs: 004E9324

Memory Dump Source

Source File: 00000002.00000002.1715965100.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000002.00000002.1715949120.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715983133.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715998156.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716014934.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716035704.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e0000_cache_registerer.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 41766b43f81166e623d3c3c60ff9773f9b872b3f8d1c88be4a6de2ff87d93f59
Instruction ID: 45d0440b6ee468982672d904edc0a2a54e002cc86dd0d13e214571b77003e069
Opcode Fuzzy Hash: 41766b43f81166e623d3c3c60ff9773f9b872b3f8d1c88be4a6de2ff87d93f59
Instruction Fuzzy Hash: BA41A931900248EFCF11DF96C981AEE7BB5FF48305F1880AAFA0867291D3399D51CB58

Function 004E70B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(004FD900,0000000C), ref: 004E70CA
ExitThread.KERNEL32 ref: 004E70D1

Strings

f2N, xrefs: 004E7107

Memory Dump Source

Source File: 00000002.00000002.1715965100.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000002.00000002.1715949120.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715983133.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715998156.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716014934.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716035704.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e0000_cache_registerer.jbxd

Similarity

API ID: ErrorExitLastThread
String ID: f2N
API String ID: 1611280651-3473888870
Opcode ID: a6929e294f63bf0fc63f3c935cc6b5765a48a12c6544121ece77d4954e0b2301
Instruction ID: e5499e37a5df0167cfa0d112ea412135bdaacc9748f0f3c350b30184e27580a4
Opcode Fuzzy Hash: a6929e294f63bf0fc63f3c935cc6b5765a48a12c6544121ece77d4954e0b2301
Instruction Fuzzy Hash: 51F0A4719002889FDB11EBB2D94AA7E3B74EF00716F10409EF10557292CF786901CB99

Function 004E99FC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 004E9A3C

Strings

InitializeCriticalSectionEx, xrefs: 004E9A0C
f2N, xrefs: 004E9A2C

Memory Dump Source

Source File: 00000002.00000002.1715965100.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000002.00000002.1715949120.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715983133.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715998156.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716014934.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716035704.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e0000_cache_registerer.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx$f2N
API String ID: 2593887523-3968345832
Opcode ID: 56995567bebce5066005fec148e68fde1bc4700d8df847af94d426ae395a1f6f
Instruction ID: 5796170e23a566131090ab9c5b1cc6ca1491ae3ff999f14c186e6b4c5c656c69
Opcode Fuzzy Hash: 56995567bebce5066005fec148e68fde1bc4700d8df847af94d426ae395a1f6f
Instruction Fuzzy Hash: 8CE0923154025CBBCB216F42EC05EAE3F11DF40BA1F114032FE18251A1C67A4C21DBD9

Function 004E98FD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 004E9931

Strings

FlsAlloc, xrefs: 004E990D
f2N, xrefs: 004E9927

Memory Dump Source

Source File: 00000002.00000002.1715965100.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000002.00000002.1715949120.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715983133.00000000004F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1715998156.00000000004FE000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716014934.0000000000501000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1716035704.0000000000503000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e0000_cache_registerer.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc$f2N
API String ID: 2773662609-3652087093
Opcode ID: 1a87bfdfcf120e5543bf76796374c97b2d3c2bec5e2bf8836ca4eb80aad2cf2f
Instruction ID: 41c02121851a7dbc20c9537618e039e99ee3877a906923dbdf3cad1d46ef026a
Opcode Fuzzy Hash: 1a87bfdfcf120e5543bf76796374c97b2d3c2bec5e2bf8836ca4eb80aad2cf2f
Instruction Fuzzy Hash: C6E0C27168426CB3C6207792AC06FBE7E44CB40B61B120037FE05212E28AAD1C2186EE

Analysis Process: cache_registerer.exePID: 7432, Parent PID: 7336COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	18.2%
Total number of Nodes:	55
Total number of Limit Nodes:	3

Executed Functions

Function 004086E0 Relevance: 6.2, APIs: 4, Instructions: 171
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408701
GetCurrentThreadId.KERNEL32 ref: 0040870B
GetForegroundWindow.USER32 ref: 004087D6
ExitProcess.KERNEL32 ref: 004088F2

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitForegroundThreadWindow
String ID:
API String ID: 3118123366-0
Opcode ID: 4d725c504cb697e1b1072c7ea759c77d04e2e58e5d46446d9ea11e9f5b1de3f4
Instruction ID: db3eb26102d3f0b772777d2e249fd12871f1e44668dc653d129765bda4179a45
Opcode Fuzzy Hash: 4d725c504cb697e1b1072c7ea759c77d04e2e58e5d46446d9ea11e9f5b1de3f4
Instruction Fuzzy Hash: DA41577BB5461407CB1CA9BA9C9636AB8C79BC4314F0E903EA985EB3C1ECBC4C054299

Function 0040A2F9 Relevance: 5.1, Strings: 4, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

jSY, xrefs: 0040A3FC
KK, xrefs: 0040A334
GE, xrefs: 0040A32D
EA, xrefs: 0040A33B

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID: EA$GE$KK$jSY
API String ID: 0-2712352731
Opcode ID: 6b5612850890102aa1f194d92166ca259fab964f7334a0f744b9098fe5a25fd6
Instruction ID: 1bf02bed26df919d9eebe443c9e000b6b72b54c7d6fa606329f1f92d68372d72
Opcode Fuzzy Hash: 6b5612850890102aa1f194d92166ca259fab964f7334a0f744b9098fe5a25fd6
Instruction Fuzzy Hash: D33140B88013008FDB58DF59D5C025ABBB0BB26710B24A298DD566F35ED778C852CF95

Function 0043AC30 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0043CD88,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043AC5E

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0040BAA1 Relevance: 1.4, Strings: 1, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

o`, xrefs: 0040BAF1

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID: o`
API String ID: 0-3993896143
Opcode ID: 3afeffce716f12af7fdf50a34117cadacbffeb8d2f619126eb17597b6c72c5dd
Instruction ID: bb396597bf56a4805cae2838a4f82e12686c71d21dc23e85153b55c0665607a5
Opcode Fuzzy Hash: 3afeffce716f12af7fdf50a34117cadacbffeb8d2f619126eb17597b6c72c5dd
Instruction Fuzzy Hash: A331FAB41583419BC704CF24D8A1B7BBBF0EF82314F04892DE485AB2A1EB399941CB4E

Function 00434581 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 004345BA

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: 5003b6105cebf7e073df1d31c6ecf68e4d6b319343acf32f7eefa00d97ffa6bf
Instruction ID: a948c4c808a8933a6211630a044125955d87cebca5a9032c0d0e1a33f13bffa5
Opcode Fuzzy Hash: 5003b6105cebf7e073df1d31c6ecf68e4d6b319343acf32f7eefa00d97ffa6bf
Instruction Fuzzy Hash: 8621A671E023848FCB18DF79EC9029CBBB26FCA310F0881ACD46A973A6C9344401CF15

Function 0043ABD0 Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,0040B564,00000000,00000001), ref: 0043AC02

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 84c6603391ed3007e074217b04235850b80664053842637ae3d98ac0229d8524
Instruction ID: 0539febb6db5d7f25aa6e68966803760ac51476a34cb6a707978f33eee451aec
Opcode Fuzzy Hash: 84c6603391ed3007e074217b04235850b80664053842637ae3d98ac0229d8524
Instruction Fuzzy Hash: 61E02B36454210FBC7002B257C05A1B7664EFCF764F121C76F40092111D639EC11C5AF

Function 00439240 Relevance: 1.5, APIs: 1, Instructions: 13
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?,0043AC1B,?,0040B564,00000000,00000001), ref: 0043925E

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d6533afcdd23708ff1a873769b0827063ef26a38b57423781407bebec1774631
Instruction ID: 2dfff643ac93fcfee3461e174413dd255d9b83d76ac5240c7297c7984b43f9b2
Opcode Fuzzy Hash: d6533afcdd23708ff1a873769b0827063ef26a38b57423781407bebec1774631
Instruction Fuzzy Hash: 85D01231545122FFC6112F55FC06B873B54EF4A361F070CA1B4006B072C675EC518AD8

Function 00439220 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,0043AC10), ref: 00439230

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8a4031795d0808f17faf1492604ba49f2e76f5a565e63a3a47b11b606823e55a
Instruction ID: efa941ad89e9e30249e471ecf1069e86c222fed3628eba214c387c65918ff400
Opcode Fuzzy Hash: 8a4031795d0808f17faf1492604ba49f2e76f5a565e63a3a47b11b606823e55a
Instruction Fuzzy Hash: 0BC04C31445121AAD5102B55EC05B867A549F49391F014495B015660728671AC518A98

Non-executed Functions

Function 00423A81 Relevance: 25.9, Strings: 20, Instructions: 946COMMON

Download Yara Rule

Strings

pBpD, xrefs: 00423BE3
EG, xrefs: 00424437
IzK|, xrefs: 004246CE
UfWx, xrefs: 004246C6
$DeF, xrefs: 00423DE1
E4P6, xrefs: 00423D5D
*L*N, xrefs: 00423DCB
QbSd, xrefs: 004246F5
;`?b, xrefs: 0042422F
OzL|, xrefs: 00423C51
, xrefs: 00424C15, 00424C34
YjZl, xrefs: 00423C25
]n[`, xrefs: 00423C30
qr, xrefs: 00423C67
.T0V, xrefs: 00423DB5
qr, xrefs: 004246E1
3df, xrefs: 0042423A
4xz, xrefs: 00423DEC
IK, xrefs: 00424442
tFvX, xrefs: 00423BEE

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID: $DeF$*L*N$.T0V$3df$4xz$;`?b$E4P6$IzK|$OzL|$QbSd$UfWx$YjZl$]n[`$pBpD$qr$qr$tFvX$EG$IK$
API String ID: 0-2439591045
Opcode ID: 042f2d1fee71e199b83dab6df17abba460ec82795e5a502bfeb25d291b49a28d
Instruction ID: e31d2bad652c1dd691e9b87d0a960c727d910a676b854f78b4d523b5516cca43
Opcode Fuzzy Hash: 042f2d1fee71e199b83dab6df17abba460ec82795e5a502bfeb25d291b49a28d
Instruction Fuzzy Hash: 2C9250B560C3918AC334CF28D4417ABBBF2FBC2300F50892DD5D96B251D7799A46CB9A

Function 0040E6A4 Relevance: 25.8, APIs: 1, Strings: 16, Instructions: 337COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0040E6AB

Strings

7JtL, xrefs: 0040E927
L6HH, xrefs: 0040E920
].J , xrefs: 0040E8F6
VWG[, xrefs: 0040E76D
I:G<, xrefs: 0040E90B
D&W8, xrefs: 0040E904
D>\0, xrefs: 0040E912
lR&T, xrefs: 0040E951
'V+h, xrefs: 0040E958
2FzX, xrefs: 0040E93C
/^"P, xrefs: 0040E94A
cz{|, xrefs: 0040E97B
6B4D, xrefs: 0040E935
P2G4, xrefs: 0040E919
?Z$\, xrefs: 0040E943
HSD{, xrefs: 0040E774

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID: 'V+h$/^"P$2FzX$6B4D$7JtL$?Z$\$D&W8$D>\0$HSD{$I:G<$L6HH$P2G4$VWG[$].J $cz{|$lR&T
API String ID: 3861434553-1315293026
Opcode ID: 4f80af8c9985e8c816a1cc1396fbfc6dd8ed11839de4fa0cdfa0580a2e3b5888
Instruction ID: 9dd2787a9b1b3fdddd0c0a992ed7b340bf2be657c8f406717a52feda99eb9a7c
Opcode Fuzzy Hash: 4f80af8c9985e8c816a1cc1396fbfc6dd8ed11839de4fa0cdfa0580a2e3b5888
Instruction Fuzzy Hash: 40B115715047828FD319CF2AC490662FFE1BF52304B2889ADD4969F793C779E852CB54

Function 0040EA79 Relevance: 25.8, APIs: 1, Strings: 16, Instructions: 329COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0040EA80

Strings

P2G4, xrefs: 0040ECE9
VWG[, xrefs: 0040EB3D
lR&T, xrefs: 0040ED21
I:G<, xrefs: 0040ECDB
2FzX, xrefs: 0040ED0C
?Z$\, xrefs: 0040ED13
D&W8, xrefs: 0040ECD4
D>\0, xrefs: 0040ECE2
'V+h, xrefs: 0040ED28
/^"P, xrefs: 0040ED1A
L6HH, xrefs: 0040ECF0
6B4D, xrefs: 0040ED05
7JtL, xrefs: 0040ECF7
cz{|, xrefs: 0040ED4B
].J , xrefs: 0040ECC6
HSD{, xrefs: 0040EB44

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID: 'V+h$/^"P$2FzX$6B4D$7JtL$?Z$\$D&W8$D>\0$HSD{$I:G<$L6HH$P2G4$VWG[$].J $cz{|$lR&T
API String ID: 3861434553-1315293026
Opcode ID: 8d50cfb685fec917d10487eaeb77c5dd2a297d46adeca3be0a100ad0fabe0a7d
Instruction ID: d76b0b43646c50a595198f60ca08110104fd8a8cec366b1338a37d5860fd0411
Opcode Fuzzy Hash: 8d50cfb685fec917d10487eaeb77c5dd2a297d46adeca3be0a100ad0fabe0a7d
Instruction Fuzzy Hash: AAB113711047828FD329CF2AC091662FFE1BF56300B2889ADD4969F793C779E852CB55

Function 00422D20 Relevance: 18.2, APIs: 1, Strings: 9, Instructions: 667COMMON

Download Yara Rule

Strings

nu, xrefs: 0042342C
%m, xrefs: 00423378
%m, xrefs: 004231DB
x2, xrefs: 00423434
^#T%, xrefs: 00422F30
I/5Q, xrefs: 00422F11
CD, xrefs: 00422D66
f5B, xrefs: 00422EBB
f5B, xrefs: 00422E72

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID: CD$I/5Q$^#T%$f5B$f5B$nu$x2$%m$%m
API String ID: 0-2430627429
Opcode ID: 0cf8413b8886147af376f4be4bee8ef45c6bea8fcdfaa2ad4090e2e974ef7569
Instruction ID: b5cf152fb3bb87cbf54be547a4d375c70597cdb5a9539718ecda74243c7f248e
Opcode Fuzzy Hash: 0cf8413b8886147af376f4be4bee8ef45c6bea8fcdfaa2ad4090e2e974ef7569
Instruction Fuzzy Hash: 621231B66483008FD3109FA4E88165BBBE2FBD1314F09893DE5D49B355DBB89906CB4A

Function 00431B20 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 154COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00431B69
GetSystemMetrics.USER32 ref: 00431B79

Strings

5#C, xrefs: 00431D17
/"C, xrefs: 00431DB1
e$C, xrefs: 00431DBC
, xrefs: 00431C66

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID: $/"C$5#C$e$C
API String ID: 4116985748-2022902200
Opcode ID: 7b1e5f04f6bace6c81d05e7cd3788225fa10350035cdafe18402aed878460e9c
Instruction ID: d56d0d642e01e3f0e07cbe5a3ff7ed3ca8ac6cfbbd34f4609053b31465a5baef
Opcode Fuzzy Hash: 7b1e5f04f6bace6c81d05e7cd3788225fa10350035cdafe18402aed878460e9c
Instruction Fuzzy Hash: D6915BB05097848FE760DF55D58878BBBF0BBC5308F40892EE5C89B251D7B99848CF96

Function 00418CB0 Relevance: 9.4, Strings: 7, Instructions: 626COMMON

Download Yara Rule

Strings

Lj;l, xrefs: 00418D3E
CrVt, xrefs: 00418D00
.zM|, xrefs: 00418CF0
Lj;l, xrefs: 00418ED5, 00418E7C, 00418E20, 00418F16
I~Lp, xrefs: 00418CF8
;, xrefs: 00418FFF
[, xrefs: 00419261

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID: .zM|$;$CrVt$I~Lp$Lj;l$Lj;l$[
API String ID: 0-3250947099
Opcode ID: a67d2c745f153c1f2ea65b6272e850a324bc46c43907a95e97421c2813a1d69b
Instruction ID: 18502d90530a3473a5b49d196fb3378a49707e32445ea582a9f5eeaa38f2560f
Opcode Fuzzy Hash: a67d2c745f153c1f2ea65b6272e850a324bc46c43907a95e97421c2813a1d69b
Instruction Fuzzy Hash: 461249B2A08311CBD314CF29C8913ABBBE2EFD5714F19892DE4C58B391D7388945CB96

Function 00426080 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 428COMMON

Download Yara Rule

Strings

JK, xrefs: 004268BC
SU, xrefs: 0042687A
GI, xrefs: 004268B1
)*, xrefs: 00426C98

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID: )*$JK$GI$SU
API String ID: 0-756079372
Opcode ID: 8bd8e504a034b87407e31502255312c2fdad7c9750b4d86b5a6dddd64cd212b0
Instruction ID: c302a2cde215f95bc52c2f46e944430f7c2bffc6b00a4c9c05271c4cf8ae583e
Opcode Fuzzy Hash: 8bd8e504a034b87407e31502255312c2fdad7c9750b4d86b5a6dddd64cd212b0
Instruction Fuzzy Hash: D3D1FDB66083508BC324CF20D84276BBBF2FFD5308F55892DE5D58B750EA799506CB8A

Function 00431950 Relevance: 9.1, APIs: 6, Instructions: 142clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00431972
GetWindowLongW.USER32 ref: 0043199D
GetClipboardData.USER32 ref: 004319AF
GlobalLock.KERNEL32 ref: 004319CC
GlobalUnlock.KERNEL32 ref: 00431AF9
CloseClipboard.USER32 ref: 00431B01

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID:
API String ID: 2832541153-0
Opcode ID: 7be4a827ccf0f5152673b226c45710812e2ccb21480d6ed1afd3655ce8d89f7a
Instruction ID: 308d146ce37f44807979266dd93ca1a0f5b50c14c597f89adf72db8de493270b
Opcode Fuzzy Hash: 7be4a827ccf0f5152673b226c45710812e2ccb21480d6ed1afd3655ce8d89f7a
Instruction Fuzzy Hash: B851C5B1908B828FC700AB7C984526EBFA16B46321F04873ED4E6873D5D338A555C797

Function 0041DE60 Relevance: 8.3, Strings: 6, Instructions: 840COMMON

Download Yara Rule

Strings

6=, xrefs: 0041E24C
w, xrefs: 0041E09A
C, xrefs: 0041E50A
aMBJ, xrefs: 0041E046
D+-P, xrefs: 0041E04E
]fkd, xrefs: 0041E10E

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID: 6=$C$D+-P$]fkd$aMBJ$w
API String ID: 0-4018905454
Opcode ID: a1a27d6657a0ee3178788cb3cc61dfd365409ec59b3d6dd14552c35944bc649d
Instruction ID: 0ac44ab12f960bae33324579b262fc3b8f14a91bebc233603f3e70efa257c1e4
Opcode Fuzzy Hash: a1a27d6657a0ee3178788cb3cc61dfd365409ec59b3d6dd14552c35944bc649d
Instruction Fuzzy Hash: 3852367450C3518FC721CF25C8407AFBBE2AF96304F18866EE8E49B392DB399946C756

Function 0040AA70 Relevance: 7.9, Strings: 6, Instructions: 402COMMON

Download Yara Rule

Strings

=,~, xrefs: 0040ACEA
VCDL, xrefs: 0040AD9E
fbjh, xrefs: 0040AA82
VCDL, xrefs: 0040AEB0, 0040AE20, 0040AF03, 0040AEFA, 0040AE5B, 0040AD34, 0040AE50
G|DK, xrefs: 0040AEB5
@,~, xrefs: 0040AD23

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID: =,~$@,~$G|DK$VCDL$VCDL$fbjh
API String ID: 0-1999548202
Opcode ID: 7b47b74433e3aca60274e993afb02c47513f6d217ace26e66e9d18c190e8373f
Instruction ID: a245660ac79e47a3a89e18c4caf5984e1cc74a87a8a86e48551de0ef4b02a26a
Opcode Fuzzy Hash: 7b47b74433e3aca60274e993afb02c47513f6d217ace26e66e9d18c190e8373f
Instruction Fuzzy Hash: 64D1287264C3814FC318CF25849026FBBE2ABD1304F19497DE4D26B395DB79891ACB87

Function 0042AF23 Relevance: 7.8, Strings: 6, Instructions: 312COMMON

Download Yara Rule

Strings

0, xrefs: 0042B358
SaPc, xrefs: 0042B5D9
', xrefs: 0042B3B2
lm, xrefs: 0042B5FA
D, xrefs: 0042B472
P=oE, xrefs: 0042B570

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID: '$0$D$P=oE$SaPc$lm
API String ID: 0-1306618164
Opcode ID: fce3b13907fbbb53e3b0f925af38e96580cbeceb5828bf517373359705315a38
Instruction ID: 2bc8ce3519ae07df5903fb616336709ea2e6f2bb7036f7c0a5bc5e8fa5ba8981
Opcode Fuzzy Hash: fce3b13907fbbb53e3b0f925af38e96580cbeceb5828bf517373359705315a38
Instruction Fuzzy Hash: 89A1077060C3A08AD324CB35949137BBB91EFD3304F68855ED8CA5B386D77D8809979B

Function 0042B232 Relevance: 6.5, Strings: 5, Instructions: 298COMMON

Download Yara Rule

Strings

SaPc, xrefs: 0042B5D9
', xrefs: 0042B3B2
lm, xrefs: 0042B5FA
P=oE, xrefs: 0042B570
D, xrefs: 0042B472

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID: '$D$P=oE$SaPc$lm
API String ID: 0-1012698278
Opcode ID: 69f8c56a5f14ea1f589b753a34dd70a25107b508a5a78b5e7340e3df6bfc1450
Instruction ID: 21d318620b177b7419a979bfe7171019712ef0a84cd18ff3731e60fea33794dd
Opcode Fuzzy Hash: 69f8c56a5f14ea1f589b753a34dd70a25107b508a5a78b5e7340e3df6bfc1450
Instruction Fuzzy Hash: B091057160C3A08AE328CB3994913BBBBD1DF93304F68855ED4C95B386CB798449879A

Function 0042B2BD Relevance: 6.5, Strings: 5, Instructions: 298COMMON

Download Yara Rule

Strings

SaPc, xrefs: 0042B5D9
', xrefs: 0042B3B2
lm, xrefs: 0042B5FA
P=oE, xrefs: 0042B570
D, xrefs: 0042B472

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID: '$D$P=oE$SaPc$lm
API String ID: 0-1012698278
Opcode ID: 0cc9bb65d3929c355b2bc861e67a9c6e74b856add978100da6fc3c4026a94298
Instruction ID: d0c21149ac3b738f3b883a2da5a5e8e8f7c43579b7075b21084a2daec299cd2a
Opcode Fuzzy Hash: 0cc9bb65d3929c355b2bc861e67a9c6e74b856add978100da6fc3c4026a94298
Instruction Fuzzy Hash: BC91047160C3A08AE328CB3994913BBBBD1EF93304F68855ED4C95B386C7798449879A

Function 0042B2FE Relevance: 6.5, Strings: 5, Instructions: 276COMMON

Download Yara Rule

Strings

SaPc, xrefs: 0042B5D9
', xrefs: 0042B3B2
lm, xrefs: 0042B5FA
P=oE, xrefs: 0042B570
D, xrefs: 0042B472

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID: '$D$P=oE$SaPc$lm
API String ID: 0-1012698278
Opcode ID: 434c4c3d881853e1ca4d1c93b4e026bb895851482e19c0c390fbc66c8ff39883
Instruction ID: e4f8450d6dd57be7ec65c53bf5736f6c6ecd56d09deca8a0822c8659db5e78bf
Opcode Fuzzy Hash: 434c4c3d881853e1ca4d1c93b4e026bb895851482e19c0c390fbc66c8ff39883
Instruction Fuzzy Hash: 9A81F3716083E08AE324CF3994913BBBBE1EFD3304F68895ED4C95B386D7794409979A

Function 0042265F Relevance: 5.4, Strings: 4, Instructions: 436COMMON

Download Yara Rule

Strings

b'B, xrefs: 004226D5
, xrefs: 00422AE0, 00422B25
R,B, xrefs: 00422C3F
f5B, xrefs: 00422E72

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID: R,B$b'B$f5B$
API String ID: 0-2771370682
Opcode ID: ab80412b6b5391307162bcb4aef494005b64a72416618e291bf0f3fbef441d71
Instruction ID: 6f4834ae0008b7d9077d97454cc597a05d305b09aa83aeef5ea21193606c9899
Opcode Fuzzy Hash: ab80412b6b5391307162bcb4aef494005b64a72416618e291bf0f3fbef441d71
Instruction Fuzzy Hash: C2E1BD76A18601EFD718CF28E84072AB3E1FB89315F09897CE98593290D775ED21CB45

Function 00415A3C Relevance: 5.3, Strings: 4, Instructions: 323COMMON

Download Yara Rule

Strings

4W8Y, xrefs: 00415CD6
7[1], xrefs: 00415C03
CE, xrefs: 00415C13
'KM, xrefs: 00415C23

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID: 'KM$4W8Y$7[1]$CE
API String ID: 0-717799971
Opcode ID: 036e13a73145100797150f35350f3a5f8997d8edf960123b4cc45be0493f02c5
Instruction ID: 28ba0580aa522d0f70fa7913219a40ad54c9ded5df36483563a8bbfceea6f183
Opcode Fuzzy Hash: 036e13a73145100797150f35350f3a5f8997d8edf960123b4cc45be0493f02c5
Instruction Fuzzy Hash: 8AA188B0508341CBE324CF25C8A17ABBBE1FFD2314F058A5DE4855B2A1E7B98945CB96

Function 00414500 Relevance: 4.2, Strings: 3, Instructions: 473COMMON

Download Yara Rule

Strings

NA, xrefs: 004147AA
BPA, xrefs: 00415039
, xrefs: 004150E0

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID: BPA$NA$
API String ID: 0-1914403767
Opcode ID: 138d22465c89d5f0a71849bbf039c09519ca51aa5c8a65d1d7066cb93fe2da40
Instruction ID: 64fd10a836d0f6a00b48349332751ad0c56bdd9b70e3eb7113c3c7f49eddb0ac
Opcode Fuzzy Hash: 138d22465c89d5f0a71849bbf039c09519ca51aa5c8a65d1d7066cb93fe2da40
Instruction Fuzzy Hash: EDD1EF75508300DBD710DF14D852BABB7A0FF8A719F04492EF98587391E778EA48CB9A

Function 00414C87 Relevance: 4.0, Strings: 3, Instructions: 299COMMON

Download Yara Rule

Strings

OMA, xrefs: 00414D18
BPA, xrefs: 00415039
, xrefs: 004150E0

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID: BPA$OMA$
API String ID: 0-1474436830
Opcode ID: 03ddb72510bc3a2f65ae13584bf72931759edc714c2e5c77aa9b00d80f06e16e
Instruction ID: 0fc7117bc28b1308fe3fda3a51620852b6cb1a8d86adcc9a5c6cfa6c902dff1d
Opcode Fuzzy Hash: 03ddb72510bc3a2f65ae13584bf72931759edc714c2e5c77aa9b00d80f06e16e
Instruction Fuzzy Hash: 41912039608300EBE715DF15E881B6BB7A0FB8A701F04493DF98553292CB79DE05CB9A

Function 00424ED0 Relevance: 4.0, Strings: 3, Instructions: 270COMMON

Download Yara Rule

Strings

v}, xrefs: 0042513A
SjUl, xrefs: 004251BF, 004251CE
9Y6[, xrefs: 00424FD4

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID: 9Y6[$SjUl$v}
API String ID: 0-4211145283
Opcode ID: cbf236f9bf59e28e324902e269a22d67efaf6b67f89c2a06712b5e24f05326d4
Instruction ID: f7cc35e2550f2a47aa5661e87844e8c1b585d2fa2d0cff589080cbfda445c119
Opcode Fuzzy Hash: cbf236f9bf59e28e324902e269a22d67efaf6b67f89c2a06712b5e24f05326d4
Instruction Fuzzy Hash: 5C7126B16093008BD718DF15D85237BBBE2EFD2354F59892DE4868B394E7788905CB4A

Function 004147B9 Relevance: 3.2, Strings: 2, Instructions: 699COMMON

Download Yara Rule

Strings

BPA, xrefs: 00415039
, xrefs: 004150E0

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: BPA$
API String ID: 2994545307-2896343824
Opcode ID: 9bf4cf7a26f39392d267fc78548357752d20e63b9ff45a005b034fe432237105
Instruction ID: 136654892eeeb5617cfea316ad4d1ca6ca0ac28b0beff1735126c38771f777e8
Opcode Fuzzy Hash: 9bf4cf7a26f39392d267fc78548357752d20e63b9ff45a005b034fe432237105
Instruction Fuzzy Hash: 52023279648200EBE714DF24EC81B6B77A1FB8A705F14493DF5C587392D7389D428B8A

Function 0042C2A3 Relevance: 3.1, Strings: 2, Instructions: 559COMMON

Download Yara Rule

Strings

^QI$, xrefs: 0042D177
hzMY, xrefs: 0042D16C

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID: ^QI$$hzMY
API String ID: 0-1282304302
Opcode ID: 0348b0d5e51a78aa816c698393cf468e6599c988c7037d4b3de9e0ba6eb492ec
Instruction ID: 58649798743bd542352add918fe21e0ec9b6bf71c020532c7d62306c4ca737c9
Opcode Fuzzy Hash: 0348b0d5e51a78aa816c698393cf468e6599c988c7037d4b3de9e0ba6eb492ec
Instruction Fuzzy Hash: 7A022731A083D18AD735CB25C4917ABBBD19FD7304F5889AEC4C99B382D639890ACB56

Function 004147D6 Relevance: 3.0, Strings: 2, Instructions: 526COMMON

Download Yara Rule

Strings

BPA, xrefs: 00415039
, xrefs: 004150E0

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID: BPA$
API String ID: 0-2896343824
Opcode ID: 5825b0bd9c43630007707a22986f7ce427665a95fe2c16934b57244c6e77298c
Instruction ID: 56ae9f307ed92845630f39d5bb616c8bdf7c4d950e5ccb4b5742a27d717fcafe
Opcode Fuzzy Hash: 5825b0bd9c43630007707a22986f7ce427665a95fe2c16934b57244c6e77298c
Instruction Fuzzy Hash: 9AD1FE79608240EBD704DF28E89076BB7E1FBCA701F14893DE5C587391CB399D428B9A

Function 00414EA6 Relevance: 2.7, Strings: 2, Instructions: 192COMMON

Download Yara Rule

Strings

BPA, xrefs: 00415039
, xrefs: 004150E0

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID: BPA$
API String ID: 0-2896343824
Opcode ID: 880b741b96c8ea52e95154f37fb3ed78d25b307a6d0a38be175bb2aa830b63c4
Instruction ID: dcbea849fc3684e1e295e2c7b278806fab47ff792772d57f0b14191f2823beee
Opcode Fuzzy Hash: 880b741b96c8ea52e95154f37fb3ed78d25b307a6d0a38be175bb2aa830b63c4
Instruction Fuzzy Hash: D751D279608301EBE700DF11E84176BBBA0FB8AB05F04493DF58557292CB79DA19CB9B

Function 004187C8 Relevance: 2.7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

p, xrefs: 0041896E
, xrefs: 00418880, 004188E0, 00418802, 00418816, 00418823

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID: p$
API String ID: 0-2151420907
Opcode ID: b4796840c426c80a1fd10eb997b51e1b0d91342dd6401c3bb693561eba50f0e6
Instruction ID: f26ce380dab5b16835a7fa84b6076d4174da6d1fefc106280c318f5582dca5fc
Opcode Fuzzy Hash: b4796840c426c80a1fd10eb997b51e1b0d91342dd6401c3bb693561eba50f0e6
Instruction Fuzzy Hash: C85138B6A082409FE735DF14DC427ABB296BBC6304F59853DD8C993316DF3999018B8B

Function 0040D6E8 Relevance: 2.6, Strings: 2, Instructions: 105COMMON

Download Yara Rule

Strings

:]"5, xrefs: 0040D83F
:]"5, xrefs: 0040D78E

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: :]"5$:]"5
API String ID: 2994545307-2702354623
Opcode ID: 4cb142a30bebd519e8232c179235cccf22ca3408da70e605fd2265ab62536014
Instruction ID: a1601aefd6d8d61de00e2e9a94d22c9c89ba174a471321d9534a6891a9edc2f4
Opcode Fuzzy Hash: 4cb142a30bebd519e8232c179235cccf22ca3408da70e605fd2265ab62536014
Instruction Fuzzy Hash: 9931D239B006009FDB39CB59DCD173777A3AFC5300B58886DD5828B79ACB74AC068A29

Function 00427710 Relevance: 2.6, Strings: 2, Instructions: 98COMMON

Download Yara Rule

Strings

, xrefs: 00427720, 00427760
, xrefs: 004276A0, 004276DC

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID: $
API String ID: 0-1425349742
Opcode ID: 001b74b075f04c7bbf727f9cc07938fbe8b0e75df469b6b752271751594f9aa4
Instruction ID: cfc21edff19a116837b8100a6675eeb386130c8a8f7266fd4b24805de3cd0a1e
Opcode Fuzzy Hash: 001b74b075f04c7bbf727f9cc07938fbe8b0e75df469b6b752271751594f9aa4
Instruction Fuzzy Hash: E821273AB0C6308B8715CB18A04153BB392BBCA314F5A962DC9C667315D378EC018BCE

Function 004260A0 Relevance: 1.8, Strings: 1, Instructions: 501COMMON

Download Yara Rule

Strings

:?)L, xrefs: 00426540

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID: :?)L
API String ID: 0-2865362724
Opcode ID: 4a44eb360da5562edfa20464dd26032b530491b8ca539e652aa7b9bd1ffe4219
Instruction ID: 0df77341501831126c38f5ba852267324605499adc725c0572340152410f25c5
Opcode Fuzzy Hash: 4a44eb360da5562edfa20464dd26032b530491b8ca539e652aa7b9bd1ffe4219
Instruction Fuzzy Hash: D3F155B56083918FC704DF25A85136FBBE1ABC6308F09483EE9D197381E779D905CB9A

Function 00436FF0 Relevance: 1.7, Strings: 1, Instructions: 448COMMON

Download Yara Rule

Strings

, xrefs: 00437065, 00437076, 004371B5, 004371C6, 004370A8, 004370AC

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-3019521637
Opcode ID: 675693b4f3dec6a6f5b8518f7360fab2b59d3b5dec45fdf9472b31202a4a2c0a
Instruction ID: 37fcc28cd1c15dfd754f0477ccae4694f99e48e14a20abd123c4c7425d1214b8
Opcode Fuzzy Hash: 675693b4f3dec6a6f5b8518f7360fab2b59d3b5dec45fdf9472b31202a4a2c0a
Instruction Fuzzy Hash: D9C18BB260C3045BD734DF24C88162BB7A2EBCA714F28A92DE5D557352D639EC01CB9A

Function 00421CA0 Relevance: 1.7, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

, xrefs: 004220C7

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: aa1cb81f5d94861224f4e30d2d48974bf328a0f560018fcea4eef0dba41e3539
Instruction ID: 93d96441acc57dce27db8304c47f71fb0f52079c6fbf8a7ee3f8b99859641a8a
Opcode Fuzzy Hash: aa1cb81f5d94861224f4e30d2d48974bf328a0f560018fcea4eef0dba41e3539
Instruction Fuzzy Hash: 38B17E72A182209BC714DB24EC5163BB3E1EF91354F89892EF895D7391E778ED01C39A

Function 0042A000 Relevance: 1.7, Strings: 1, Instructions: 414COMMON

Download Yara Rule

Strings

", xrefs: 0042A2F8

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: c5774d9b097d542688df977bba46f74a85bb5c44b9d2061aea9a3ff8de6bf5be
Instruction ID: 5942145d91ef11cd97b0f61bbba67e36e49fc9177de84490e40a3feac4723113
Opcode Fuzzy Hash: c5774d9b097d542688df977bba46f74a85bb5c44b9d2061aea9a3ff8de6bf5be
Instruction Fuzzy Hash: C2D10672B083209FD714DE24E45076BB7D56B85324F588A2FEC9587382E738EC54879B

Function 0043D560 Relevance: 1.5, Strings: 1, Instructions: 267COMMON

Download Yara Rule

Strings

WY, xrefs: 0043D561

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: WY
API String ID: 2994545307-3326743931
Opcode ID: 556caf584344b3987f52aa93436254d912b8a8a225c5ca8c06ead0c49aa260ce
Instruction ID: 11627348a9cb26e111c8c5f377b138600a369df845b92bf9b603d630a082c019
Opcode Fuzzy Hash: 556caf584344b3987f52aa93436254d912b8a8a225c5ca8c06ead0c49aa260ce
Instruction Fuzzy Hash: AF713835A043019BC728AF18D88193FB3A6EFDD350F15942DE9C58B355EB389C51D789

Function 00439790 Relevance: 1.5, Strings: 1, Instructions: 245COMMON

Download Yara Rule

Strings

, xrefs: 00439906

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-3019521637
Opcode ID: 282a7fa1dd24af8db8d1c81bb1fc68c8016c22f01cadd80f1e6738776886f631
Instruction ID: e5dd937a847e2ee05c8f734745a5a2785647eeafb7a885f0c7b82ca37bbb39b6
Opcode Fuzzy Hash: 282a7fa1dd24af8db8d1c81bb1fc68c8016c22f01cadd80f1e6738776886f631
Instruction Fuzzy Hash: B5513C73A453108BD711AE2998C0767B791AFCA724F2AE63DD4D867351C2B8DC02CBC6

Function 004287DE Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

FF, xrefs: 00428998

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID: FF
API String ID: 0-3065987778
Opcode ID: b4a66bc96d9c4fbb278e084ab5736a028c2cd0ae7df77bfb95e3ad6c61ea3f9e
Instruction ID: a424e0e34d8d92c0d2bd0f2eed0fac8abe2359fcda75a99354e3ee5056e4401c
Opcode Fuzzy Hash: b4a66bc96d9c4fbb278e084ab5736a028c2cd0ae7df77bfb95e3ad6c61ea3f9e
Instruction Fuzzy Hash: BE7169B1A01221CBCB28CFA4D8517BBB7B0FF45310F05455ED892AF361EB389941CB99

Function 0042CC79 Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

wsog, xrefs: 0042CC8E

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID: wsog
API String ID: 0-2963804835
Opcode ID: 03551751cb976e46d0e4cf2a3021a2fc4b9ab7408602c7fde18f197248f44e93
Instruction ID: 9ce34f7bf73f441bfe81fa83dc93f9f0a66b764ad2a22e9a0a4323dfc0902db9
Opcode Fuzzy Hash: 03551751cb976e46d0e4cf2a3021a2fc4b9ab7408602c7fde18f197248f44e93
Instruction Fuzzy Hash: 20612371A483E08BD7358F2598E03ABBBE1AFD7304F58996DD4C95B342C678050ACB97

Function 00436DC0 Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

, xrefs: 00436E25, 00436E36, 00436EC5, 00436EE4

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: 11429821a0c2345ce641436b916377a85a7f5c920bbfca7333ea0ff77b894eb8
Instruction ID: 4ed9c80c929b4db25c3bf4beb605025bddd102942f0675078b3f965c403dd927
Opcode Fuzzy Hash: 11429821a0c2345ce641436b916377a85a7f5c920bbfca7333ea0ff77b894eb8
Instruction Fuzzy Hash: A3514675208201BBE710DF28D842B2F77E6EB89704F15983DF58587282D779EC19CB5A

Function 0041B120 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

a,-., xrefs: 0041B1B0

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID: a,-.
API String ID: 0-1869981662
Opcode ID: ab6b001557355e69987e6b67a446dd49a1227125a46f0b63bf033a23d0308c38
Instruction ID: e84adea5826cb18e5e5adc14cafdf5eeb831a74d1eefb950f05a795aed71ebd4
Opcode Fuzzy Hash: ab6b001557355e69987e6b67a446dd49a1227125a46f0b63bf033a23d0308c38
Instruction Fuzzy Hash: 1341AC700183868FC714CF25C8616ABBBF0EF97315F44599DE4D29B261E3788989CB9A

Function 0041B61C Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

H^C, xrefs: 0041B66D

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID: H^C
API String ID: 0-2654715390
Opcode ID: 844e25aeb176e4dadff19c295b89aa6401fe047b0411c403c6cd6788610ea154
Instruction ID: 6469c2bb830a157838c7279deb09550eff19c3cc948af1320cc67bafd3bff72c
Opcode Fuzzy Hash: 844e25aeb176e4dadff19c295b89aa6401fe047b0411c403c6cd6788610ea154
Instruction Fuzzy Hash: 6A41477150D3C15BD3058F3948606BBBBE19FE7214F1849AEE0E197392CB7888458796

Function 0042C188 Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

DxxL, xrefs: 0042C1CB

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID: DxxL
API String ID: 0-4150056923
Opcode ID: d73d5297bda40690a93d1056d69ad4f1345f76df0155264a642f57d106982fdb
Instruction ID: ce1c02f9925dca4d2e46fc1568302a0b9933d8bd795f1edac7d053ba7f988a7a
Opcode Fuzzy Hash: d73d5297bda40690a93d1056d69ad4f1345f76df0155264a642f57d106982fdb
Instruction Fuzzy Hash: FE3159507083918BE7358B2994917FFBBD09FA3304F5844AEE1C597383C678450AC76E

Function 0042C147 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

DxxL, xrefs: 0042C1CB

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID: DxxL
API String ID: 0-4150056923
Opcode ID: 6da6958bee4e900fc6ab00e95103220abc88a20daf3f3875432a63bf65bd8ec8
Instruction ID: efcfa201c18711c065bee2d363b1c96a465ff238bae448fa11d241cf9ba3058a
Opcode Fuzzy Hash: 6da6958bee4e900fc6ab00e95103220abc88a20daf3f3875432a63bf65bd8ec8
Instruction Fuzzy Hash: B43148607083918BE7258B2994917FF7BD09FA3304F6844AEE1D597383C66C450AC76E

Function 00422579 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

, xrefs: 004225D0, 00422610

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: 99201f52007c87ebf8d7565a7219acc8d54b99c500ce0979ddc1ba691974cab5
Instruction ID: 8be3360088e42b40a04a840d64e7b7fcfc74cd1e5546f589b75b34edf50f6ee5
Opcode Fuzzy Hash: 99201f52007c87ebf8d7565a7219acc8d54b99c500ce0979ddc1ba691974cab5
Instruction Fuzzy Hash: 9331F633A04120ABD319CF29DC41637B6E2ABD5714F9D867CE89197396DA38CC42C785

Function 0043D460 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

@, xrefs: 0043D4B0

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 0df5a2b5e5e39aec051e266cd3aa1daf3f5d88879281b0831093396b24284e2d
Instruction ID: be6cf69b68958c8a19e1643370d84e8478f5d1fb03354caf948d2e08801bbdbe
Opcode Fuzzy Hash: 0df5a2b5e5e39aec051e266cd3aa1daf3f5d88879281b0831093396b24284e2d
Instruction Fuzzy Hash: 2221A075808300ABD310DF18E8C066BB7F5FBD9364F54592DE5C847350D339A954CB66

Function 0041B37D Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

~, xrefs: 0041B385

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 0ed45fb7e943745d84f93e36996beb7e1aaad25fcab130322a82476dff51599d
Instruction ID: ce824417b1f5831f6e97182605dea6b857740039206a83cdbb4ed48413c7b3b3
Opcode Fuzzy Hash: 0ed45fb7e943745d84f93e36996beb7e1aaad25fcab130322a82476dff51599d
Instruction Fuzzy Hash: 1F11273AA483504FD318CE769C801AAF7E2ABDB214F4D956DDCD5A3721D678D8028689

Function 00407490 Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0260ea75d04cc455f59547eb9f2c4dfe48096ed27a2d710ee8f7820f2a5753ec
Instruction ID: df3a78ccb02f349945d1170494ce215813fb9d00435de8accb5a1e36d0a382b7
Opcode Fuzzy Hash: 0260ea75d04cc455f59547eb9f2c4dfe48096ed27a2d710ee8f7820f2a5753ec
Instruction Fuzzy Hash: 6512A272A087118BC725DF18D8806ABB3E1BFC5315F19893ED986A7385D738B851CB87

Function 00405930 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82822453ecf6c153629959857d537bf3bb9fad70fd69b8faa98d661e8c366e8a
Instruction ID: 5276be162b070f9b090b242944ddea4bd8a9340eedaa780f6fea285a7915de73
Opcode Fuzzy Hash: 82822453ecf6c153629959857d537bf3bb9fad70fd69b8faa98d661e8c366e8a
Instruction Fuzzy Hash: FFF1F4356087418FC724CF29C88066BFBE6EFD9304F08882EE4D597791E679E904CB96

Function 00421940 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c2d22e824e76c52ebef0a1ae3b01a52185696cff2c4b98ee44d844017e9e54
Instruction ID: f1e367e0748553411959a2e864e3b38c58cbc3c1a4399d886b9c6a67456ab20e
Opcode Fuzzy Hash: f6c2d22e824e76c52ebef0a1ae3b01a52185696cff2c4b98ee44d844017e9e54
Instruction Fuzzy Hash: 339133B17043119BD7209F24DC82B6BB7B1EF91354F44882DE9868B3A1F778E905C76A

Function 00439270 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ec56d4e8fd7f4b4782adf4879964bda712e22de5460c3f498210c0c432f48698
Instruction ID: 8980fe099f26eee69651818e74b039d909859cd5d36a4a95cf05caaac3f33d49
Opcode Fuzzy Hash: ec56d4e8fd7f4b4782adf4879964bda712e22de5460c3f498210c0c432f48698
Instruction Fuzzy Hash: DD61AE77A482105BD328EA25DC4173B7392ABDC714F2AD53DDCC967345D5749C028BC9

Function 0042AE6D Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16d8a0ac42730c65d6de5a3907bd647074d23bcf75ebf3852161892a0e012dea
Instruction ID: 0fcc90472f5b609ad1a5d73cad40bbcbea0859674aa8ad28be02ad01fda87724
Opcode Fuzzy Hash: 16d8a0ac42730c65d6de5a3907bd647074d23bcf75ebf3852161892a0e012dea
Instruction Fuzzy Hash: 00512D71A083E08BD7298B2594903ABBFD29FD7304F5DC5ADC5C997346C53C85068B9B

Function 0042AEC8 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a47f37dba22f69fdd7c591f985a402b23cb97af800c9b3d33631caeed597aa02
Instruction ID: cb494427570d705ee04c045b7931920664f01a995278bd22abde5d9277bed1f7
Opcode Fuzzy Hash: a47f37dba22f69fdd7c591f985a402b23cb97af800c9b3d33631caeed597aa02
Instruction Fuzzy Hash: 0C516961B093E08BD7358B3994903ABBBD29FD7204F5CC5AEC4C59B386C63C44068B9B

Function 0040DF90 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4a8923a6b1a6d2b9eda28acfb96e87182fe125498adf2d874ecdab55a651f90f
Instruction ID: 6b3c61f3d0f9be6a41401cd7babee7e3b28053143bffc8b41ae1736c4c55946c
Opcode Fuzzy Hash: 4a8923a6b1a6d2b9eda28acfb96e87182fe125498adf2d874ecdab55a651f90f
Instruction Fuzzy Hash: F5511975B002005BD725AB27AC92A3F7263AFD5308F18443DE586273C7DF78B852965E

Function 00437470 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bbbd278e5346792075ccc770337240212b6791fff7d12b9c0d466c4d48a3876
Instruction ID: 68fa0494882afe34795b8c7dbdf002bdb8a879a64060c7f55c17d573e10cda34
Opcode Fuzzy Hash: 6bbbd278e5346792075ccc770337240212b6791fff7d12b9c0d466c4d48a3876
Instruction Fuzzy Hash: 4F3119B6A08304BBE7249E15DC81B6B77E4EB49718F00183EF9C593251E239EC148796

Function 00430150 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8df3ccfe967c00ed7eb3bb75ca0796262123d940464a32308015768ed3a9404
Instruction ID: a7b5a866144ff64f9b18a6a90a281ad8cc1962d49be93913574f069863dd7987
Opcode Fuzzy Hash: a8df3ccfe967c00ed7eb3bb75ca0796262123d940464a32308015768ed3a9404
Instruction Fuzzy Hash: 3F6170B4109B81CFE770CF05E58869BBBE0BBC9319F90891ED8985B752C7741448CF8A

Function 0041977F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b8411e07d91d23c8875852353a1047f7fa85f82fc7b880bed9979b3d0a9ec5a
Instruction ID: 7aa9701163730795e8eb22795dc96be1bf9a51b90b1c7ad773b0dfb2d802edf9
Opcode Fuzzy Hash: 4b8411e07d91d23c8875852353a1047f7fa85f82fc7b880bed9979b3d0a9ec5a
Instruction Fuzzy Hash: 5431E170A183508BC7349F20C8A57ABB7B5EFA2314F145A1DD4C64B391EB398842CB5A

Function 00408900 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd4978e547e6ceab342348929904c20169c998236b956ff5984cb678301bfde9
Instruction ID: 306989a7cb80e5ec1fac7689f88370a109a04662da8b9820a83665e34c3c1d9f
Opcode Fuzzy Hash: cd4978e547e6ceab342348929904c20169c998236b956ff5984cb678301bfde9
Instruction Fuzzy Hash: D41134B3B106104BD318CA29D88066672D3D7C8328F6A82BED55AEB291C976DD038784

Function 00433C50 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 628d1d110df3658465e6e7452b782b496416bbb98a03fbee6bb6e75ccd14b7cf
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 4E1100337051E40EC3158D3C8400565BFD31AE7235F5D639AF4B4AB2D2D52B8E8B9359

Function 00429A40 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccfae7cdd952f5a4356311988f2348f261255b75e3ac6fbf419073882b6d495d
Instruction ID: e2d5e5dcdbb96af89a145ae3cb8329f10c86a96092386d54165ea2753c3e75d7
Opcode Fuzzy Hash: ccfae7cdd952f5a4356311988f2348f261255b75e3ac6fbf419073882b6d495d
Instruction Fuzzy Hash: 830171F1B0036157E7209E56A4C272BB2A96F90718F58443EE80957342DB7AFC05C69A

Function 0040A111 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b0b49bd3f051538667b0bafe47e1941cb136d9acaffbe598405356e189bdecb
Instruction ID: e8e074581d6a4bd2122801b2dc18736b07c14ab2b32c046da7b0c690de26d7bf
Opcode Fuzzy Hash: 1b0b49bd3f051538667b0bafe47e1941cb136d9acaffbe598405356e189bdecb
Instruction Fuzzy Hash: 4FF0C97DD11900AFD704AF21FC9282D7A33FB1B249F98607EE90476236EE754424AB4D

Function 00419553 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5633c33c0695a57209dee85a55e987389ff74260c75a046e3da1cdd736db7e
Instruction ID: bda1dc54c6d8c295820d7b5c30391c745ab678327e03e6c8fedf9fa577d5089e
Opcode Fuzzy Hash: 1d5633c33c0695a57209dee85a55e987389ff74260c75a046e3da1cdd736db7e
Instruction Fuzzy Hash: C3B092A9C08001A6E0112F113C4253AB0360953A1DF04603AE80A32247EA3AFA1A545F

Function 0043155F Relevance: 38.6, APIs: 2, Strings: 20, Instructions: 78COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00431579
VariantInit.OLEAUT32 ref: 0043158C

Strings

S, xrefs: 004315A9
#, xrefs: 00431608
=, xrefs: 004315AE
E, xrefs: 00431603
6, xrefs: 004315CC
A, xrefs: 004315EF
Y, xrefs: 004315C7
_, xrefs: 004315E5
I, xrefs: 00431617
[, xrefs: 004315D1
G, xrefs: 0043160D
W, xrefs: 004315BD
#, xrefs: 004315F4
], xrefs: 004315DB
6, xrefs: 004315A4
=, xrefs: 004315D6
C, xrefs: 004315F9
H, xrefs: 00431612
), xrefs: 004315FE
U, xrefs: 004315B3

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: #$#$)$6$6$=$=$A$C$E$G$H$I$S$U$W$Y$[$]$_
API String ID: 2610073882-756886029
Opcode ID: b91a809fdb98a42b43ec7d6b372c4ba5635ba1ce74e5f2095759d9af49be6edd
Instruction ID: e0ea4074bb450d800c747b57188fe3bb82f30bd0daf89dd16ce01c4b95f0e413
Opcode Fuzzy Hash: b91a809fdb98a42b43ec7d6b372c4ba5635ba1ce74e5f2095759d9af49be6edd
Instruction Fuzzy Hash: 4841397040C7C0DED356DB28D49834BBFE16B96318F485A9DE0D85B292C2BA8549CB67

Function 004312EB Relevance: 38.6, APIs: 2, Strings: 20, Instructions: 77COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 004312F5
VariantInit.OLEAUT32 ref: 00431308

Strings

#, xrefs: 00431384
H, xrefs: 0043138E
Y, xrefs: 00431343
E, xrefs: 0043137F
C, xrefs: 00431375
], xrefs: 00431357
=, xrefs: 0043132A
S, xrefs: 00431325
#, xrefs: 00431370
6, xrefs: 00431320
[, xrefs: 0043134D
I, xrefs: 00431393
), xrefs: 0043137A
U, xrefs: 0043132F
_, xrefs: 00431361
G, xrefs: 00431389
6, xrefs: 00431348
W, xrefs: 00431339
A, xrefs: 0043136B
=, xrefs: 00431352

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: #$#$)$6$6$=$=$A$C$E$G$H$I$S$U$W$Y$[$]$_
API String ID: 2610073882-756886029
Opcode ID: db0036a411fb88bd0f1c16f221509f66b468d07afae7b18c1ee4e74d2d59960c
Instruction ID: 96663e3943058709b23e930c12873b17fcec39b4579d1b0eb2fdb43bd50695f8
Opcode Fuzzy Hash: db0036a411fb88bd0f1c16f221509f66b468d07afae7b18c1ee4e74d2d59960c
Instruction Fuzzy Hash: 5741257000C7C08EE356DB28D48835BBFE16B9A318F489A5DE4D81B292D7B98549CB57

Function 00430B6C Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 104COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00430BB6

Strings

1, xrefs: 00430C4E
', xrefs: 00430C1C
%, xrefs: 00430C12
-, xrefs: 00430C3A
!, xrefs: 00430BFE
+, xrefs: 00430C30
/, xrefs: 00430C44
0, xrefs: 00430C49
), xrefs: 00430C26
#, xrefs: 00430C08

Memory Dump Source

Source File: 00000003.00000002.1740887540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_cache_registerer.jbxd

Yara matches

Similarity

API ID: InitVariant
String ID: !$#$%$'$)$+$-$/$0$1
API String ID: 1927566239-1697852811
Opcode ID: 37e178cda217340a0c4a75893a5e2ea84126451f47ed18ac247ab84696917f78
Instruction ID: 99bb2ef6571b2e54b26f1f09ec267c2ea0374f3bbd8647d3cefa1095a214f959
Opcode Fuzzy Hash: 37e178cda217340a0c4a75893a5e2ea84126451f47ed18ac247ab84696917f78
Instruction Fuzzy Hash: 3651287110C7C18ED3258B38885879FBFE1AB92314F184A6DE1E58B3D2D7788549CB63

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report cache_registerer.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
cache_registerer.exe

Function 004FE1A9 Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Function 004E17D0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 293
fileCOMMON

Function 004E1D30 Relevance: 18.2, APIs: 12, Instructions: 176
threadCOMMON

Function 004E9BBE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 004E70B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Function 004E13F0 Relevance: 4.6, APIs: 3, Instructions: 149
COMMON

Function 004E1710 Relevance: 4.6, APIs: 3, Instructions: 60
memoryCOMMON

Function 004E6F9F Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Function 004E20C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
COMMONLIBRARYCODE

Function 004EF4C2 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Function 004E234A Relevance: 3.1, APIs: 2, Instructions: 94
COMMONLIBRARYCODE

Function 004EFC9B Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Function 004EA59C Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 004E9C89 Relevance: 1.6, APIs: 1, Instructions: 56
COMMONLIBRARYCODE